Respect for privacy and more specifically, the protection of personal data (hereinafter referred to as "PD") against unauthorised disclosures or processing, is a primary consideration for Keytrade Bank ("the Bank").
Personal data means any information relating to an identified or identifiable natural person, in particular by reference to an identifier (which may be a number). In other words, as soon as a person can be identified on the basis of information available to the data controller, any data relating to this person (assets, age, bank account number, address, etc.) are personal data.
This Policy applies both to PD which are initially collected when you visit the Bank's Website and when you contact the Bank, and to data which are subsequently obtained by the Bank (for example, when you sign up to an additional product or service, or when you update data you initially provided).
The processing of your PD is subject to compliance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, known as the "GDPR", as well as all regulations applying to PD 1.
This Policy is updated regularly. The Bank invites you to check its Website on a regular basis to see the version of the Policy currently in force.
All terms not defined in this Policy and written with a capital letter have the meaning described in the Bank’s General Terms and Conditions.
- The Law of 30 July 2018 on the protection of individuals with regard to the processing of PD
- The Law of 13 June 2005 on electronic communications
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Keytrade Bank, the Belgian branch of Arkéa Direct Bank SA (France), situated at Boulevard du Souverain 100, 1170 Brussels and registered under CBE number BE 0879.257.191., is the data controller for your PD.
As a branch of Arkéa Direct Bank SA (France), itself a subsidiary of Crédit Mutuel Arkéa, the Bank is part of the Crédit Mutuel Arkéa group.
Within Keytrade Bank, the DPO Team is responsible for the daily monitoring of GDPR issues (first point of contact) and for compliance with the regulations applicable to PD.
If you have any questions, would like to submit a request to exercise one of your rights under the GDPR or are faced with a problem concerning your PD, you can contact our DPO Team by e-mail at firstname.lastname@example.org or by post at Boulevard du Souverain 100, 1170 Brussels.
Keytrade Bank has appointed a Data Protection Officer ("DPO"), whose role is in particular to inform and advise the Bank on all matters relating to the protection of PD. You can contact the Data Protection Officer:
- By post: Data Protection Officer – Crédit Mutuel Arkéa – 1 rue Louis Lichou, 29808 Brest Cedex 9, France
The various categories of PD that the Bank collects in the context of the banking relationship or when you contact it are as follows:
- Identification data: your surname, first name(s), address, identity card number, national registration number, e-mail address, telephone number, login information;
- Transaction data: these are all data relating to your bank and stock market transactions, including your account numbers, card numbers, banking communications, withdrawals, transfers relating to your accounts, any defaults on loan repayments to the Bank, etc.;
- Financial data: your bills, payslips, income, the value of your personal property or real estate, repayment capacity, the origin of your funds or assets, etc.;
- Personal data: your surname, first name(s), age, gender, date of birth, place of birth, marital status and nationality;
- Household composition data: your family situation, details about other members of your household, etc.;
- Data relating to your level of knowledge and experience or to your investor profile: your knowledge and experience of financial instruments and your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance;
- Data relating to satisfaction surveys or from the contact you have with the Bank;
- Audiovisual and electronic data: video surveillance recordings from our branches, telephone recordings from our customer service department or records of e-mail communications;
- Data concerning your legal capacity to enter into certain contracts or to perform certain actions: in proceedings relating to collective debt settlement, bankruptcy or incapacity, inclusion on the blacklist of the Central Individual Credit Register of the National Bank of Belgium;
- Data obtained via cookies and other similar technologies: IP address, browser version, how you behave on the website, how many times you have visited the Transaction Website (logs). For more information, please refer to our Cookies Policy.
3. When does the Bank collect your PD?
The Bank collects your PD on the basis of the different sources mentioned below.
4. In what circumstances are you required to provide your PD to the Bank?
The Bank undertakes to only ask you for the data it needs to properly examine your request, either when you open a bank account or when you subscribe to a service and/or product (the concept of privacy by default). So that the principle of privacy by default is respected, every request for information sent to customers and prospective customers (for example, when they sign up to a product online) has been reviewed by the DPO Team, who ensures they are able to justify why each piece of data requested is necessary in view of the purpose for which it is collected.
The majority of these data are requested so that the Bank can comply with the current PD regulations (law on the prevention of money laundering, MiFID, Regulation (EU) 596/2014 on market abuse, etc.)
You do, of course, have the right to refuse to disclose these data, but if this refusal prevents the Bank from complying with its legal obligations, it will be obliged to refuse you the service and/or product.
Since the Bank is an online bank, it needs an e-mail address in order to provide you with certain information that it must send you. Without an e-mail address and a mobile telephone number to validate the opening of a bank account, the Bank cannot enter into a customer relationship with you.
If an item of data is not required by law, the Bank indicates this and you can continue your request for products and/or services without providing this data. These data are mainly intended to improve your customer experience (by personalising your customer environment: adding a photo, naming your accounts, adapting the display of your customer area, etc.)
5. For what purposes and on what legal basis does the Bank process your PD?
In the remainder of this section, the Bank will specify the different PD processing activities it carries out. In general, the Bank processes your data on the following legal grounds:
- in order to comply with all statutory and regulatory provisions applicable to the Bank;
- in connection with the performance of the contract or with pre-contractual measures;
- in order to pursue the Bank's legitimate interests, maintaining a balance between these legitimate interests and respect for your privacy, or;
- when you have given your consent for a specific purpose or purposes.
5.1 Statutory obligations
The Bank is bound by a number of statutory and regulatory obligations that require us to process your PD. These obligations mainly fall within the areas mentioned below.
5.2 Pre-contractual relationship
5.3 Contractual relationship – products
As part of its handling of complaints, the Bank must process, and possibly transfer, PD to the parties involved (the person making the complaint, the persons involved in processing the case, Test Achats, Ombudsfin, etc.) in order to be able to respond to the complaint and defend its interests. The Bank will only process and disclose those PD it deems necessary for due and correct handling of the claim.
5.4 Contractual relationship – means of communication
5.5 Legitimate interests
The Bank also processes your data in order to pursue its legitimate interests. For this purpose, whenever it processes data, the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms.
For processing activities that are based on legitimate interest, you always have the right to object to processing. In this case, the Bank will no longer process your data for this purpose unless its rights take precedence over your fundamental rights and freedoms.
PD are thus processed for the purposes listed below.
In some cases, the Bank will only process your PD if it has specifically obtained your consent to do so.
6 Direct marketing
Depending on the date on which you opened the bank account, you may or may not have had the possibility to give your consent to receive direct marketing communications.
If you gave your consent to receiving direct marketing when entering into the banking relationship, the Bank will process your PD, and in particular your contact details, to send you direct marketing (opt-in). If you did not give your consent when entering into the banking relationship, the Bank will not send you any advertising communications or process your data for this purpose (opt-out).
If the Bank did not request your consent when the banking relationship was entered into, the Bank sends direct marketing on the basis of its legitimate interests (soft opt-in). You can request a copy of the Bank's analysis of its legitimate interests.
In practice, this means that you may be contacted in the following cases, for example:
- about products or services in which you have shown an interest (for example, by registering for an information session or by performing a simulation of the product or service);
- when the Bank markets products or services which, according to the Bank's analyses, match your requirements; the Bank analyses the results of its marketing activities to measure how effective its campaigns have been and thus in order to offer you, as a customer, more relevant services and products;
In connection with its direct marketing, the Bank may contact you by e-mail, telephone (text message and telephone calls) or by ordinary post. The Bank will choose the most appropriate and least intrusive method of communication, depending on the purpose of the communication. The Bank favours e-mail communications in order to inform you about existing or new products and services.
Any advertising communication sent by the Bank contains a link enabling you to easily withdraw your consent and/or object to the processing of your data for marketing purposes.
You can also indicate at any time that you no longer wish to receive direct marketing by logging on to the Transaction Website > Preferences > Personal Data > Communication. The Bank will never process your data if you have withdrawn your consent or have objected to the processing of your PD for marketing purposes.
The Bank does not send advertising communications if you do not have an active banking relationship with us (prospective customers and customers whose accounts have been closed are therefore excluded).
7 Cookies and similar technologies
Profiling is the automated processing of your PD to assess certain personal factors such as your interests or your personal preferences, etc.
In order to offer you certain products and services quickly and efficiently, your PD may occasionally be processed in an automated manner either fully or in part, which may result in a decision with legal effects or similarly significant effects on you. This is automated decision-making.
There are three forms of profiling:
- Profiling in general (which has no legal effects on you);
- Human decision-making based on the results of profiling (which has no legal effects on you);
- A fully automated decision (which has legal effects or similarly significant effects on you).
9 Retention period
As regards retention periods, a distinction should be made between active databases and archive databases. Customer data relating to their banking activity and the products they have taken out are kept in an active database for as long as they use the product and their banking relationship continues. As soon as all of a customer’s banking activities have ceased, all of their data are transferred to an archive database. When a customer no longer has a product, only the data for that product will be archived. When the data are placed in an archive database, the Bank no longer processes the data unless there is a regulatory obligation to do so, and merely retains the data.
The Bank ensures it does not store your personal data in the active database for any longer than the period necessary for the processing activity for which they have been collected.
When assessing the retention period of your PD in the archive database, the Bank takes into account the applicable regulatory requirements (e.g. requirements resulting from the AML-FT Act).
10 Security measures for data management
11 What are your rights?
12 How can you exercise your rights?
Customers can send their request from their authenticated e-mail address (i.e. either the e-mail address they entered when opening their account, or any e-mail address they provided subsequently which has been validated by the Bank) to email@example.com, without having to attach a copy of their identity card.
If you no longer have access to your authenticated e-mail address or are not a customer, you must send your request to the Bank together with a legible copy of the front and back of your identity card by e-mailing firstname.lastname@example.org in order to exercise your rights.
Following receipt of a complete request from you, the Bank will assess its validity. If you are entitled to exercise the right invoked, it will take the necessary action as swiftly as possible.
In all cases, the Bank will respond to you within one month. If your request is complex, the Bank will inform you within one month and will contact you again with the information requested within a maximum additional period of two months.
If you request any copies or additional information when exercising your right to access your PD, the Bank may charge you a reasonable amount for administrative costs.
13 Who should you contact in the event of a complaint?
Should you have any complaints about how your PD are processed, you may submit an application for mediation to the Data Protection Authority at the following address:
Autorité de protection des données Rue de la Presse 35 1000 Bruxelles Tél : +32 2 274 48 00 Mail : email@example.com