Protection of privacy is a primary consideration for Keytrade Bank (the "Bank").
This Policy aims to explain clearly and simply to you how the Bank collects, processes and stores your personal data.
This Policy applies both to data which are initially collected when you visit the Bank's Website and when you contact the Bank, and data which are subsequently obtained by the Bank (for example, when you subscribe to an additional product or service, or when you update data you initially provided).
Your data are currently processed in compliance with Regulation (EU) No. 2016/679 of 27 April 2016, the General Data Protection Regulation (known as "GDPR"), as well as any regulations applying to personal data. For more detailed information about data protection, please visit the Data protection authority website (https://www.dataprotectionauthority.be/citizen).
This Policy is updated regularly. The Bank invites you to check its Website on a regular basis to see the version of the Policy currently in force.
- Who is the data controller of your personal data?
- What do we mean by personal data?
- When does the Bank collect your personal data?
- Where does the Bank collect data about you?
- In what circumstances are you required to provide your personal data to the Bank?
- For what purposes and on what basis do we process your personal data?
- Cookies and similar technologies
- Automated decision-making and profiling
- Storage period
- Data security
- Who receives your data? To whom may your data be transferred?
- What are your rights?
- How can you exercise your rights?
- Who should you contact in the event of a complaint?
1. Who is your data controller?
Your data controller is KEYTRADE BANK, the Belgian branch of ARKEA DIRECT BANK SA (France), which is situated at Boulevard du Souverain 100, 1170 Brussels, and registered under number BE 0879.257.191.
As a branch of Arkéa Direct Bank SA (France), itself a subsidiary of Crédit Mutuel Arkéa, the Bank is part of the Crédit Mutuel Arkéa group.
Within Keytrade Bank, the DPO Team is responsible for the daily monitoring of GDPR issues (first point of contact) and for compliance with the regulations applicable to personal data.
If you have any questions, would like to submit a request to exercise one of your rights under the GDPR or are faced with a problem concerning your personal data, you can contact our DPO Team by e-mail at email@example.com or by post at Boulevard du Souverain 100, 1170 Brussels.
Keytrade Bank has appointed a Data Protection Officer ("DPO"), whose role is in particular to inform and advise the Bank on all matters relating to the protection of personal data within Keytrade Bank. You can contact the Data Protection Officer:
- By post: Data Protection Officer – Crédit Mutuel Arkéa – 1 rue Louis Lichou, 29808 Brest Cedex 9, France
- By e-mail: firstname.lastname@example.org
2. What do we mean by personal data?
By personal data, we mean not only data that identify you directly, but also data that identify you indirectly.
The Bank generally needs to collect the following different types of personal data (this list is not exhaustive):
3. When does the Bank collect your personal data?
4. Where does the Bank collect data about you?
In most cases, you provide the personal data that the Bank processes. However, the Bank does also sometimes obtain these data from third parties. In particular, this happens when:
5. In what circumstances are you required to provide your personal data to the Bank?
If you wish to open an account with the Bank or use our products and/or services, you will be required to provide us with some information about yourself. The Bank is obliged to comply with the legislation in force and, in certain circumstances, this entails obtaining personal data (e.g. the law on the prevention of money laundering, MiFID, etc.)
You do, of course, have the right to refuse to disclose this information, but if this refusal prevents the Bank from complying with its legal obligations, it will be obliged to refuse you the service and/or product.
6. For what purposes and on what basis do we process your personal data?
Generally, the Bank processes your personal data either:
6.1 Statutory obligations
The Bank is bound by a number of statutory and regulatory obligations that require us to process your data. These obligations mainly fall within the following areas:
The list of statutory and regulatory fields which require the Bank to process your data is non-exhaustive and may change.
6.2 Contractual and pre-contractual relations
Before entering into a contract, the Bank may – and in some cases, must – obtain and process certain items of personal data, in particular in order to:
More specifically, in the execution of contracts, the Bank processes your data as follows:
- trading in financial instruments and subscription to financial products;
- management and granting of credit facilities, by assessing the overall credit risk;;
6.3 Legitimate interests
The Bank also processes your data in order to pursue its legitimate interests. For this purpose, whenever it processes data the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms, and particularly privacy.
Personal data are therefore processed in order to:
- we use transaction data in order to better understand how our services are used, in order to improve them
- we also analyse the results of our marketing activities to measure how effective our campaigns have been, in order to offer you more relevant services and products;
- we analyse the results of surveys conducted among our customers and customer views expressed when they come into contact with us, in order to improve customer relationships and our products and services;
In some cases, the Bank will only process your personal data if it has specifically obtained your consent to do so.
6.5 Direct marketing
Depending on the date on which you entered into the banking relationship, you may or may not have needed to give your consent to receive advertising communications.
If you gave your consent to receive advertising communications when entering into the banking relationship, the Bank will process your personal data, and in particular your contact details, to send you advertising communications (opt-in). If you did not give your consent when entering into the banking relationship, the Bank will not send you any advertising communications or process your data for this purpose (opt-out).
If the Bank did not request your consent when the banking relationship was entered into, the Bank sends advertising communications on the basis of its legitimate interests (soft opt-in).
In practice, this means that you may be contacted in the following cases, for example:
To send its advertising communications, the Bank may contact you by e-mail, telephone or ordinary mail. The Bank will choose the most appropriate and least intrusive method of communication, depending on the purpose of the communication. The Bank favours e-mail communications in order to inform you of (new) products and services.
Any advertising communication sent by the Bank contains a link enabling you to easily withdraw your consent and/or object to the processing of your data for marketing purposes.
You can also indicate at any time that you no longer wish to receive advertising communications by logging in to the Transaction Site > Preferences > Personal Data > Communication. The Bank will never process your data if you have withdrawn your consent or have objected to the processing of your personal data for marketing purposes.
The Bank does not send advertising communications if you do not have an active banking relationship with it (prospective customers and customers whose accounts are closed are therefore excluded).
7. Cookies and similar technologies
When third parties place cookies on the Bank's website, you will be able to access their data protection policy via links on the Bank's website. We recommend that you read their data protection policies carefully.
8. Profiling and automated decision-making
Profiling is the automated processing of your personal data to assess certain personal factors such as your interests, your personal preferences, etc.
In order to offer you certain products and services quickly and efficiently, your personal data may occasionally be processed in an automated manner either fully or in part, which may result in a decision with legal effects or similarly significant effects on you. This is automated decision-making.
There are three forms of profiling:
8.1 Profiling in general
The Bank markets a huge range of financial products and services (savings accounts, investment services, pension savings, insurance, mortgage loans, consumer credit, etc.). In order to identify the products and services that actually correspond to your needs, the Bank implements profiling based on some of your personal data.
Thanks to profiling, the Bank is able to write tailor-made advertising communications and limit correspondence to communications which it truly believes are relevant to you. The products and services will remain accessible to all the Bank's customers, unless excluded by law, even if the profiling has not identified that the products correspond to the needs or interests of certain categories of customers.
You can object to profiling for marketing purposes at any time by logging in to the Transaction Site > Preferences > Personal Data > Communication. Each advertising communication also contains a link which allows you to easily object to profiling for marketing purposes.
The Bank also performs profiling for other purposes, such as:
Where the Bank uses profiling based on its legitimate interests, it will carefully assess the legitimate interest in advance to determine whether the implementation of profiling is justified. It will also, in any event, take the necessary measures to minimise any impact on your rights and freedoms.
8.2 Human decisions based on profiling results
These occur when an application is made for a mortgage loan or credit card. The decision of the case manager to grant or refuse you a loan or a credit facility will in part be based on the result of profiling carried out by an algorithm. This algorithm uses the data you have sent to us as part of your application for credit, as well external data (from the Central Individual Credit Register and non-regulated registrations). This algorithm assesses your ability to repay the loan or credit facility you have applied for, and aims to enable the case manager to make a quick and non-discriminatory decision.
8.3 Automated decision-making which have legal effects or similarly significantly affects you
A fully automated decision is a decision made with regard to an individual using an algorithm applied to their personal data, without the involvement of any human being in the process.
This is the case with KEYHOME and KEYPRIVATE simulations, which are available on the Bank's Website. In the event of a refusal by the algorithm, for whatever reason, this is a decision that may have legal effects on you.
In some cases, the decision not to grant a credit card is also made on the basis of fully automated decision-making. The algorithm takes into account various elements of your application and consults the Central Individual Credit Register and database of non-regulated registrations in order to determine whether it should deny the application.
In the case of fully automated decision-making, you will receive an immediate response to your application.
In all cases where an automated decision has legal effects or similarly significantly affects you, you have the right to request human intervention and to be provided with an explanation of the decision taken following this type of assessment, and to potentially contest this decision.
9. Storage period
The Banks ensures it does not store your personal data for any longer than we need for the processing activity that requires us to collect them. When assessing how long we need to store your personal data, we must also take into account the applicable regulatory requirements (requirements arising from legislation against money laundering and the financing of terrorism, for example).
As a prospective customer, your data will be stored for a maximum period of one year.
If you are a customer of the Bank, the data we will have collected as part of our contractual relationship will be stored for the duration of this relationship and for a period of 10 years after your account is closed. This period may be longer in some cases, for example, when it involves a mortgage (30 years) or a dispute (until there is an outcome to the dispute).
Other data, such as data collected using surveillance cameras, are stored for a shorter period (a period of a month on a rolling basis for images recorded by surveillance cameras).
10. Data security
10.1 Our security system
The Bank takes appropriate technical and organisational measures in order to guarantee that your personal data are adequately protected against loss or their disclosure to unauthorised individuals. In order to protect your data, the Bank has put in place security technology which complies with international rules and current standards in force.
The Bank has also taken organisational measures, by setting up teams dedicated to information security.
More generally, the Bank's employees are made aware of the question of protecting personal data, and the Bank ensures that they comply with the code of ethics setting out the instructions on the protection of personal data.
The Bank works exclusively with data processors and partners who offer a high level of guarantees regarding the protection of personal data.
If the Bank identifies an incident with an impact on personal data, it ensures, in line with regulatory requirements, that it reports it to the Data Protection Authority (DPA) as soon as possible, that it informs the data subjects and takes the necessary steps to minimise any damaging consequences that the incident may have for them.
10.2 Actions you can take
Data security is everyone's business.
You can also help keep your personal data secure by following the advice below:
The Bank will never ask you for your account numbers, debit or credit card numbers, passwords or codes via e-mail or telephone. Therefore, never communicate this information by any means under any circumstances! If you call the Bank, it may need to identify you. It will do this by asking some personal questions.
11. Who receives your personal data? To whom can your personal data be transferred?
- to market and regulatory authorities (particularly in Belgium and France), similar foreign authorities, the Central Point of Contact ("CPC"), and to Belgian and foreign tax authorities when the Bank is required to disclose customers' personal data;
- to the National Bank of Belgium or the Bank of France in cases covered by Regulation (EU) No. 2016/867 of 18 May 2016 (the AnaCredit Regulation) relating to credit facilities granted to you;
- to public or judicial authorities, such as the police, prosecutors, law courts, etc. This can only be done at their express request and in compliance with regulations;
- to lawyers (for example, in relation to the dissolution of a marriage or a bankruptcy), notaries (for example, when it involves a mortgage or inheritance), guardians or interim administrators, etc.;
- to third-party banks in accordance with the Law of 18 September 2017 on the prevention of money laundering and the financing of terrorism and limitations on the use of cash.
- specialist providers from the financial sector, who must also fulfil their statutory obligations in relation to personal data
(for example Card Stop, VISA, related banking institutions in foreign countries, etc.);
- service providers who help the Bank to:
- devise and maintain our tools
- market its activities, organise events and manage communications with customers;
- develop and/or manage its products and services
For some services, the Bank calls upon specialist partners who work as data processors. The Bank ensures the protection of your personal data by appropriate provisions in its contracts with data processors, and only uses data processors which implement the appropriate technical and organisational measures. If necessary, the Bank supplements the data processor's contracts and documentation with other appropriate measures (tests, on-site inspections, etc.)
When personal data are transferred to a data processor, the Bank only provides the third party with the personal data necessary for it to carry out the specific tasks required.
When we work with data processors outside of the European Economic Area (EEA), we take appropriate measures to guarantee that your personal data will be properly protected in the recipient country. In such cases, the Bank takes action (for example, through contractual measures and checks on the technical and organisational measures implemented) to ensure that personal data are processed with the same level of security as that required under European regulations.
Your data may also be disclosed, with your consent, to certain payment service providers, such as payment initiation and account information service providers in connection with PSD2: these data (pseudonymised) will only be stored on the Cloud when you use payment initiation and account information services.
Under no circumstances will the Bank share your personal data with third parties without a specific purpose justifying the transfer of personal data.
12. What are your rights?
12.1 Right of access
You have a right of access to the personal data concerning you that are processed by the Bank:
The Bank takes all necessary measures to ensure that your personal data are correct, up-to-date, complete and relevant. For this reason, the Bank asks you to keep it informed of any changes (new addresses, new identity card, acquisition of a new nationality, etc.) If you discover that your data are inaccurate or incomplete, you can ask us to make rectifications (see point 13).
12.2 Right to rectification
You can amend some of your personal data yourself by logging in to the Transaction Site > Preferences > Personal Data > Communication. For certain changes to personal data made by you, the Bank consults the national register as the Bank must ensure that the change made corresponds to the official databases.
There are certain items of personal data that you cannot change yourself. For certain categories of customers, for example, the Bank must draw up reports for the relevant authorities. Some of these reports must be communicated to you.
For data that you cannot change yourself on the Transaction Site, you also have the right of rectification in the event of error or omission: you can send an e-mail to email@example.com, clearly specifying the reasons why you think the data should be rectified and attaching any documents that show this to be the case.
If the Bank corrects data concerning you which it had previously shared with a third party, it will also notify the third party.
12.3 Right to be forgotten
In some specific cases, the regulations allow you to have your personal data deleted from the Bank's database.
This is the case, in particular, if the data are no longer necessary for the purposes for which the Bank collected them, if the processing of your data is based solely on your consent and you decide to withdraw it, or if you have objected to the processing of your data and there are no legitimate grounds for the Bank which prevail over yours (for example, because you provided your personal data with a view to submitting an application for a mortgage loan that you did not ultimately take out).
However, the Bank may store your personal data when they are needed for establishing, exercising or defending its rights in court, or for the Bank to comply with its statutory obligations. The Bank will therefore be required to comply with storage periods stipulated by different laws, particularly when the data concern transactions which you have carried out or have been collected in connection with our obligations relating to combating money laundering and the financing of terrorism.
12.4 Right to restriction of processing
This right of objection enables you to ask the Bank to stop processing your personal data temporarily in specific cases defined by regulations.
You can ask for your data to be blocked:
If you have exercised this right, the Bank may retain your data but it will no longer be able to process them unless you provide your consent to do so, or in order to establish, exercise or defend its rights (or the rights of another person) or in the cases provided for by regulations.
12.5 Right to data portability
By virtue of this right, you may ask the Bank to send your personal data to you or to send them directly to another data controller, where this is technically possible for the Bank. This right only applies to data which you yourself have supplied to the Bank and which are automatically processed on the basis of the contract or when you have provided your consent.
You can submit a request using the following form
12.6 Right to withdraw your consent
When your data are processed because you have provided your consent, you have the right to withdraw this consent at any time. However, withdrawing your consent does not call into question the legality of the processing carried out during the period before you withdrew your consent.
12.7 Right of objection
You always have the right to object to the use of your personal data for marketing purposes, without providing any justification and at no cost to you (see 6.5). If you do so, your data will no longer be used for this purpose.
Furthermore, you also have the right to object, for reasons relating to your particular circumstances, to any processing of your personal data which is based on the Bank's legitimate interests. However, the Bank will be unable to grant your request if there are legitimate and overriding reasons that prevail over your interests, rights and freedoms, or if the processing of your data is required in order to establish, exercise or defend its legal rights.
13. How can you exercise your rights?
In order to exercise your rights, you may send the Bank a signed and dated request together with a legible copy of the front and back of your identity card to the e-mail address firstname.lastname@example.org.
Customers can also send their request from their authenticated e-mail address (i.e. either the e-mail address they entered when opening their account, or any e-mail address they provided subsequently which has been validated by the Bank) to email@example.com.
Following receipt of a complete request from you, the Bank will assess its validity and, if you are entitled to exercise the right invoked, take the necessary action as swiftly as possible.
In all cases, the Bank will respond within one month. If your request is complex, the Bank will inform you within one month and will contact you again with the information requested within a maximum additional period of two months.
If you request any additional copies when exercising your right to access your personal data, we may charge you a reasonable amount for administrative costs.
14. Who should you contact in the event of a complaint?
In the event of a complaint regarding the processing of your personal data, you may submit a request for mediation to the Data Protection Authority at the following address:
Data Protection Authority
Rue de la Presse 35
Tél : +32 2 274 48 00
Mail : firstname.lastname@example.org