Last updated 17/09/2020
Respect for privacy and more specifically, the protection of personal data (hereinafter referred to as "PD") against unauthorised disclosures or processing, is a primary consideration for Keytrade Bank ("the Bank").
Personal data means any information relating to an identified or identifiable natural person, in particular by reference to an identifier (which may be a number). In other words, as soon as a person can be identified on the basis of information available to the data controller, any data relating to this person (assets, age, bank account number, address, etc.) are personal data.
This Policy applies both to PD which are initially collected when you visit the Bank's Website and when you contact the Bank, and to data which are subsequently obtained by the Bank (for example, when you sign up to an additional product or service, or when you update data you initially provided).
The processing of your PD is subject to compliance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, known as the "GDPR", as well as all regulations applying to PD 1.
For more detailed information about data protection, please visit the website of the Belgian Data Protection Authority at https://www.dataprotectionauthority.be.
This Policy is updated regularly. The Bank invites you to check its Website on a regular basis to see the version of the Policy currently in force.
All terms not defined in this Policy and written with a capital letter have the meaning described in the Bank’s General Terms and Conditions.
- The Law of 30 July 2018 on the protection of individuals with regard to the processing of PD
- The Law of 13 June 2005 on electronic communications
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
- For what purposes and on what legal basis does the Bank process your PD?
- Retention period
- Who is the data controller for your PD?
- Which categories of PD are processed?
- When does the Bank collect your PD?
- Data reported
- Public sources or sources accessible to the Bank
- Use of software
- Data disclosed during interactions
- Data collected by third parties
- In what circumstances are you required to provide your PD to the Bank?
- For what purposes and on what legal basis does the Bank process your PD?
- Statutory obligations
- Identification and Know Your Customer (KYC)
- Criminal investigations – Public Prosecutor charges
- Compliance with court decisions
- Attachment of bank accounts
- Inheritance and divorce
- Market Abuse (Market Abuse Regulation)
- Markets in Financial Instruments Directive (MiFID)
- Shareholder Rights Directive (SRD II)
- PD breaches (GDPR)
- Exercising your rights under the GDPR
- Central Point of Contact ("CPC")
- The Central Individual Credit Register ("CCP")
- Mortgage loans and consumer loans
- Code of Economic Law
- Financial risk management
- AnaCredit – Basel III
- The Common Reporting Standard (CRS)
- The Foreign Account Tax Compliance Act (FATCA) and Qualified Intermediary (QI)
- DAC 6
- Deposit Guarantee and Resolution Fund ("FGDR")
- Dormant accounts
- Audits by the authorities
- Pre-contractual relationship
- Before opening a bank account
- Opening a bank account
- Contractual relationship – products
- Account management
- Bank cards (credit and debit)
- Credit cards
- Debit cards
- Account aggregation service
- Cashback service - Paylead
- Stock market orders - custodians
- KEYPLAN AND KEYPRIVATE
- Keytrade Pro – Saxo Bank
- Payment of invoices – Zoomit
- Debt recovery
- KEYHOME – Crefius
- KEYHOME – partners
- Branch 21 and Branch 23 insurance
- Contractual relationship – means of communication
- Telephone calls
- E-mails and written e-mail exchanges
- Hard copy correspondence
- Legitimate interests
- Models, statistics
- Direct marketing
- Staff training
- Competitions, games, events and seminars (KEYPRIVATE and KEYPLAN)
- Direct marketing
- Keyhome - Cardif and Ethias
- Statutory obligations
- Direct marketing
- Cookies and similar technologies
- Profiling and automated decisions
- Profiling in general
- Human decisions based on profiling results
- Automated decisions which have legal effects or similarly significant effects on you
- Retention period
- Prospective Customers
- Retention period for identification data
- General retention period for verbal and written communications
- Retention deadline for transaction information
- Retention period for stock market orders
- Retention period for data relating to a complaint or legal proceedings
- Retention period for data produced by the Bank (templates, statistics, etc.)
- Retention period for video surveillance cameras
- Security measures for data management
- Our security system
- Monitoring the security of computer systems
- Privacy by Design
- Transfers to partners (data processor and separate data controller)
- Internal access to your data
- Staff training and awareness-raising
- Action you can take
- Our security system
- What are your rights?
- Right of access
- Right to rectification
- Right to be forgotten
- Right to restrict processing
- Right to data portability
- Right to withdraw your consent
- Right of objection
- How can you exercise your rights?
- Who should you contact in the event of a complaint?
1. Who is the data controller for your PD?
Keytrade Bank, the Belgian branch of Arkéa Direct Bank SA (France), situated at Boulevard du Souverain 100, 1170 Brussels and registered under CBE number BE 0879.257.191., is the data controller for your PD.
As a branch of Arkéa Direct Bank SA (France), itself a subsidiary of Crédit Mutuel Arkéa, the Bank is part of the Crédit Mutuel Arkéa group.
Within Keytrade Bank, the DPO Team is responsible for the daily monitoring of GDPR issues (first point of contact) and for compliance with the regulations applicable to PD.
If you have any questions, would like to submit a request to exercise one of your rights under the GDPR or are faced with a problem concerning your PD, you can contact our DPO Team by e-mail at firstname.lastname@example.org or by post at Boulevard du Souverain 100, 1170 Brussels.
Keytrade Bank has appointed a Data Protection Officer ("DPO"), whose role is in particular to inform and advise the Bank on all matters relating to the protection of PD. You can contact the Data Protection Officer:
- By post: Data Protection Officer – Crédit Mutuel Arkéa – 1 rue Louis Lichou, 29808 Brest Cedex 9, France
- By e-mail: email@example.com
2. Which categories of PD are processed?
The various categories of PD that the Bank collects in the context of the banking relationship or when you contact it are as follows:
- Identification data: your surname, first name(s), address, identity card number, national registration number, e-mail address, telephone number, login information;
- Transaction data: these are all data relating to your bank and stock market transactions, including your account numbers, card numbers, banking communications, withdrawals, transfers relating to your accounts, any defaults on loan repayments to the Bank, etc.;
- Financial data: your bills, payslips, income, the value of your personal property or real estate, repayment capacity, the origin of your funds or assets, etc.;
- Personal data: your surname, first name(s), age, gender, date of birth, place of birth, marital status and nationality;
- Household composition data: your family situation, details about other members of your household, etc.;
- Data relating to your level of knowledge and experience or to your investor profile: your knowledge and experience of financial instruments and your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance;
- Data relating to satisfaction surveys or from the contact you have with the Bank;
- Audiovisual and electronic data: video surveillance recordings from our branches, telephone recordings from our customer service department or records of e-mail communications;
- Data concerning your legal capacity to enter into certain contracts or to perform certain actions: in proceedings relating to collective debt settlement, bankruptcy or incapacity, inclusion on the blacklist of the Central Individual Credit Register of the National Bank of Belgium;
- Data obtained via cookies and other similar technologies: IP address, browser version, how you behave on the website, how many times you have visited the Transaction Website (logs). For more information, please refer to our Cookies Policy.
3. When does the Bank collect your PD?
The Bank collects your PD on the basis of the different sources mentioned below.
3.1 Data reported
These are all the data that you or a third party explicitly and directly provide to the Bank (surname, first name(s), postal address, telephone number, e-mail address, employment status (self-employed, employee, etc.)
- These data may be transferred when you open a bank account, when you update them or when they are required to allow you to sign up to a new service or product.
- When you take part in seminars, tutorials, competitions, events, etc. organised by the Bank, you will need to communicate data making it possible to identity you and contact you.
- Data about you may be passed to the Bank by a third party, provided that this transfer is necessary (for example, if you are the beneficial owner of a legal entity).
3.2 Public sources or sources accessible to the Bank
When processing your application to open an account or subscribe to a product, the Bank may have to complete or check certain data in registers which are public or to which it has access (for example, the Crossroads Bank of Enterprises, publications in the Belgian Official Gazette, the National Register or the Central Individual Credit Register). For more information on this last point, please refer to the section on the Central Individual Credit Register.
3.3 Use of software
When you use the application developed by Keytrade Bank or connect to the Transaction Website, data about you are collected (logs in computer systems, data relating to electronic signatures, etc.)
3.4 Data disclosed during interactions
When you answer a questionnaire, send an e-mail, reply to a message, make a telephone call, etc., the Bank collects and stores the data contained in these files.
3.5 Data collected by third parties
For certain services, the Bank uses third parties who collect data about you and share these data with the Bank (for example, on the use of your VISA card, recovery of debts, etc.) The Bank will process these data for specific purposes.
4. In what circumstances are you required to provide your PD to the Bank?
The Bank undertakes to only ask you for the data it needs to properly examine your request, either when you open a bank account or when you subscribe to a service and/or product (the concept of privacy by default). So that the principle of privacy by default is respected, every request for information sent to customers and prospective customers (for example, when they sign up to a product online) has been reviewed by the DPO Team, who ensures they are able to justify why each piece of data requested is necessary in view of the purpose for which it is collected.
The majority of these data are requested so that the Bank can comply with the current PD regulations (law on the prevention of money laundering, MiFID, Regulation (EU) 596/2014 on market abuse, etc.)
You do, of course, have the right to refuse to disclose these data, but if this refusal prevents the Bank from complying with its legal obligations, it will be obliged to refuse you the service and/or product.
Since the Bank is an online bank, it needs an e-mail address in order to provide you with certain information that it must send you. Without an e-mail address and a mobile telephone number to validate the opening of a bank account, the Bank cannot enter into a customer relationship with you.
If an item of data is not required by law, the Bank indicates this and you can continue your request for products and/or services without providing this data. These data are mainly intended to improve your customer experience (by personalising your customer environment: adding a photo, naming your accounts, adapting the display of your customer area, etc.)
5. For what purposes and on what legal basis does the Bank process your PD?
In the remainder of this section, the Bank will specify the different PD processing activities it carries out. In general, the Bank processes your data on the following legal grounds:
- in order to comply with all statutory and regulatory provisions applicable to the Bank;
- in connection with the performance of the contract or with pre-contractual measures;
- in order to pursue the Bank's legitimate interests, maintaining a balance between these legitimate interests and respect for your privacy, or;
- when you have given your consent for a specific purpose or purposes.
5.1 Statutory obligations
The Bank is bound by a number of statutory and regulatory obligations that require us to process your PD. These obligations mainly fall within the areas mentioned below.
5.1.1 Identification and Know Your Customer (KYC)
When you open your banking account and for as long as it remains open, the Bank must comply with its obligations to identify and know its customers (KYC) contained in the law of 18 September 2017 on the prevention of money laundering and the financing of terrorism and the restriction of the use of cash (hereinafter referred to as "AML-FT"). In order to do so, the Bank will process your data several times and may need to ask you for additional information.
5.1.2 Criminal investigations – Public Prosecutor charges
In the context of criminal investigations, the authorities may request that the Bank supplies certain customer banking relationship information. Subject to strict compliance with the regulations, the Bank will share your data with the authorities permitted to make such requests.
5.1.3 Compliance with court decisions
The Bank has a statutory obligation to comply with decisions and judicial documents enforceable against it. Therefore, if you have been declared without capacity or bankrupt, for example, the Bank is obliged to process your data in order to properly respond to the decision as soon as it becomes aware of it. The Bank may also need to communicate information to the parties involved (lawyers, notaries, guardians, provisional administrators, etc.) The Bank only shares the data to parties who are entitled to access, either by virtue of a ruling or by virtue of the regulations.
5.1.4 Attachment of bank accounts
When an attachment (enforceable or preventive) is carried out on your accounts in compliance with the regulations, the Bank is required to provide certain information relating to your accounts in order that the attachment may take effect. You will be informed of the attachment by the process server or any other authority competent to carry out attachments.
5.1.5 Inheritance and divorce
In the context of inheritances, inheritors are entitled to obtain the account statements of the deceased’s bank accounts in order to monitor and prevent any concealment of an inheritance. The Bank may need to transfer your PD if they are included on the account statements.
In the context of a divorce, the officiating notary may request a statement of accounts from the parties on the date of the divorce in order to be able to carry out the settlement and division of assets.
The obligation to help prevent money laundering and the financing of terrorism by identifying customers, representatives and beneficial owners, establishing risk profiles, and monitoring operations and transactions. If the Bank considers that the regulatory conditions are met, it must also transfer your data to the Financial Intelligence Processing Unit (FIPU).
5.1.7 Market Abuse (Market Abuse Regulation)
The obligation to help combat market abuse, by identifying particular information and reporting it to the relevant authorities or partners with which the Bank works on these financial markets.
The Bank may therefore need to transfer your PD to the Financial Services and Markets Authority (FSMA) in the context of reporting by the Bank, FSMA investigations or a cooperation treaty with a foreign administration, subject to compliance with regulations.
For the detection of market abuse, the Bank sends certain pseudonymised PD relating to financial transactions to LiquidMetrix.
In special circumstances, the Bank may be required to make transfers to a third country which has not been the subject of a suitability decision. To do this the Bank will, prior to any transfer, ensure that Standard Data Protection Clauses (SDPC – Art. 46 GDPR) have been signed, appropriate technical and organisational measures are in place and that a data protection impact assessment has been carried out. You always have the option to request a copy of the documents which provided the basis for a specific transfer.
5.1.8 Markets in Financial Instruments Directive (MiFID)
The obligation to protect consumers of financial products and services by identifying, for some services, their level of knowledge and experience, their investor profile and category, and their investment capabilities and objectives.
5.1.9 Shareholder Rights Directive (SRD II)
In order to comply with the Shareholder Rights Directive, one of the Bank’s obligations is to disclose the PD of the shareholders of a listed company so that the company, or a third party appointed by it to this end, may contact its shareholders in order to organise their participation and voting at the general meeting.
5.1.10 PD breaches (GDPR)
In the event of a breach of your PD which entails a risk for your rights and freedoms, the Bank will share data, which is in principle anonymised, with the Data Protection Authority in order to inform them of the PD breach and to provide them with the information needed to assess the seriousness of the breach and to explain the remediation measures taken.
In the event that the breach entails a high risk for your rights and freedoms, the Bank will inform you and send you a summary of the measures taken to mitigate the risks for your rights.
Records relating to PD breaches are kept for a period of five years (for more information about the different retention periods applied, please refer to the "Retention Period" section).
5.1.11 Exercising your rights under the GDPR
When you exercise one of the rights granted to you by the GDPR, the Bank is required to assess your request and, if there is no reason to refuse it, to provide a helpful response to this request.
The file relating to your application will be kept for a period of five years (see the “Retention Period” section).
5.1.12 Central Point of Contact ("CPC")
In order to comply with the Royal Decree of 17 July 2013 on the central point of contact, each year, the Bank sends your data (identification, bank accounts, contracts in progress) to the National Bank of Belgium.
The retention period for the report sent to the National Bank of Belgium is eight years in accordance with Article 8 of the aforementioned Royal Decree.
5.1.13 The Central Individual Credit Register ("CCP")
When you take out a loan, the Bank has a statutory obligation to record this information in the Central Individual Credit Register (Royal Decree regulating the Central Individual Credit Register). The same applies when you are in payment default; the Bank must inform the National Bank of Belgium of the default. You will be notified of your inclusion on the NBB's blacklist by post.
5.1.14 Mortgage loans and consumer loans
220.127.116.11 Code of Economic Law
The Code of Economic Law requires the Bank, among other things, to check the accuracy of the information sent, to assist you in your loan application and to advise you. In order to comply with its statutory obligations, the Bank will have to process your data. When documents (e.g. European Standardised Information Sheet, Special Terms and Conditions) need to be drawn up in connection with your mortgage loan application, we send your data to Crefius (for more information on the role and involvement of Crefius, please see the section "Keyhome – Crefius").
18.104.22.168 Financial risk management
The Bank has a regulatory obligation to manage its financial risks and its risk exposure. To do this, the Bank determines risk scores and uses statistical risk models that are based on your PD. This allows it to evaluate its risks.
22.214.171.124 AnaCredit – Basel III
Both the AnaCredit Regulation and the Basel III accord are applicable to the Bank’s loan activities. In order to comply with these regulations, the Bank sends pseudonymised PD of customers who have taken out loans to the National Bank of Belgium (AnaCredit) and also to Crédit Mutuel Arkéa. Crédit Mutuel Arkéa consolidates the data relating to loans with those of the other entities of the Crédit Mutuel Arkéa group before transmitting its report to the European Central Bank (Basel III).
5.1.15 The Common Reporting Standard (CRS)
If you are a tax resident of a member country of the Common Reporting Standard other than Belgium, the Bank is legally obliged to inform the Belgian tax authorities, who will in turn share data on your assets with the competent foreign tax authority.
The reports produced by the Bank in the context of the CRS are kept for a period of eight years. You can ask the Bank for a copy of the information it has provided to the tax authority under the CRS.
5.1.16 The Foreign Account Tax Compliance Act (FATCA) and Qualified Intermediary (QI)
If you are a US Person under American regulations, the Bank is required to refer you to the American tax authorities as an account holder or beneficial owner and specify your account credit balance. If the Bank considers that the regulatory conditions are met, it will include you in its QI reporting intended for the Internal Revenue Service (IRS).
The reports produced by the Bank in the context of the FATCA and IQ regulations are kept for a period of six years.
5.1.17 DAC 6
On the basis of the regulations and information published on this subject by Febelfin, your data may be processed by the Bank in order to comply with DAC 6.
5.1.18 Deposit Guarantee and Resolution Fund ("FGDR")
The purpose of the FGDR is to protect your assets up to an amount of EUR 100,000 in the event of the failure of the Bank. Since the Bank is a branch of Arkéa Direct Bank (France), your assets must be added to any you hold in an account with Arkéa Direct Bank (trading name Fortuneo). The Bank and Arkéa Direct Bank submit a joint report to the French FGDR.
The reports generated by the Bank and forwarded to Arkéa Direct Bank in connection with the FGDR are kept for one month (they are produced daily).
For more information about the FGDR, please refer to the information document on how your deposits are protected.
5.1.19 Dormant accounts
If your bank accounts fall within the scope of the legislation on dormant assets, we must process your data in order to attempt to contact you before transferring the assets to the Caisse des dépôts et consignations (Deposit and Consignment Office).
Once the assets on the account have been transferred to the Deposit and Consignment Office, your bank account is closed and your data will no longer be processed unless you contact us.
5.1.20 Audits by the authorities
In the event of an inspection by the competent authorities, whether Belgian, EU or foreign, the Bank and the other group entities holding your PD must provide certain information and access to the authorities so that they can fulfil their duty of inspection under the regulations. Your PD may be transferred or viewed during these checks.
The list of statutory and regulatory areas that govern how the Bank must provide, transfer or process your PD may change.
5.2 Pre-contractual relationship
5.2.1 Before opening a bank account
Before it opens a bank account or approves your subscription to a product or service marketed by the Bank, the Bank may, and in some cases must, obtain and process certain PD, in particular in order to:
- respond to your application;
- help you if you encounter a problem during the online process of registering for a product or service;
- take an application further, assess suitability and appraise the risks associated with a potential product or service;
- assess your creditworthiness, or possibly the creditworthiness of people connected to you, when you make an application for credit.
More specifically, the Bank processes your PD in a pre-contractual context as follows:
- If you open your bank account online using an identity card reader, your data will be read by software installed on the Bank’s servers. This software collects your identity card data and modifies them so that they are in a readable format for the Bank’s computer system.
- During 2021, the Bank will offer the option to open a bank account by means of an application. Your PD will be passed to the Bank by the company that developed the application.
- When this service is available, if you open your bank account using the hard copy form, the Bank will process your request and forward the hard copy documents to Merak for scanning.
When processing your application to open a bank account, the Bank consults the following databases:
- the National Register (if you reside in Belgium and have a belgian ID card) via the non-profit organisation Identifin (if you are not a Belgian resident, you must provide us with the necessary documents, and more particularly your passport, so that the Bank can comply with its regulatory obligations);
- Refinitiv's World-Check database, to fulfil its Know Your Customer ("KYC") obligations before opening the bank account.
- Any other public source it deems necessary in order to verify the accuracy of the data entered.
5.2.2 Opening a bank account
If your application to open a bank account is accepted, the Bank transfers the PD necessary to generate and send you the connection method you have selected (Softkey and/or Hardkey) to the company OneSpan NV.
In order to open your bank account, the Bank will create your profile in its computer system and take specific steps to open the bank account (creation of account numbers, your username and password, etc.)
If you use the bank switching service to transfer your banking data from your previous financial institution to the Bank, your data will be forwarded to the Bank via the non-profit organisation the Centre for Exchange and Clearing (CEC).
5.3 Contractual relationship – products
5.3.1 Account management
The management of your various accounts (calculation of interest, overview of accounts and transactions, provision of documents, tax on stock market transactions, account information service, etc.) is carried out entirely internally at the Bank. Your PD are therefore not passed to third parties for this purpose.
If a specific problem is encountered, your data may be sent by the Bank to parties involved, in order to exchange information on the management of your account. This will be the case, for example, if you have entered a transfer to an incorrect recipient and want to cancel it or have been the victim of a scam. The Bank will only transmit the data necessary for the organisation to be able to process the request.
5.3.2 Bank cards (credit and debit)
126.96.36.199 Credit cards
- Oberthur Technologies The Netherlands BV, so that the card may be physically created and dispatched.
- Monext, a simplified joint-stock company under French law, for the computerised creation of the card and generation of the PIN. In the event of a change to your card (change of PIN, card renewal or replacement, etc.), your data will also be sent to Monext.
- VISA Belgium SCRL sends the Bank data relating to your card transactions.
- The insurance policy associated with your credit card has been entered into with Inter Partner Assistance SA. If you make a claim, there will be an exchange of information between the Bank and Inter Partner Assistance relating to the claim.
- If you block your card using the equensWorldline Cardstop service rather than the Transaction Website, your data will be processed and transferred by equensWorldline.
188.8.131.52 Debit cards
Debit card applications are accepted automatically. Your data are forwarded to:
- Oberthur Technologies The Netherlands BV, so that the card may be physically created and dispatched
- equensWorldline SE for the computerised creation of the card. In the event of a change to your card (change of PIN, card renewal or replacement, etc.), your data will also be sent to equensWorldline
- Bancontact or Maestro: For each debit card payment, your data are processed by Bancontact or Maestro and sent to the Bank. The fact that your PD are sent to Bancontact or Maestro is shown on your debit card
- If you block your card using the Worldline Cardstop service rather than the Transaction Site, your data will be processed and transferred by Worldline.
5.3.3 Account aggregation service
The Bank will only disclose the data required for particular payment service providers to take action (such as payment initiation service providers and account aggregators) once you have signed up to the service.
PSD2 data relating to payment initiation services and account aggregators are kept in the Amazon Web Services Cloud. Working alongside Amazon Web Services, the Bank has put in place all technical and organisational measures needed to guarantee the security of data when this data transfer is carried out. These measures are in accordance with the applicable professional standards and are reviewed at regular intervals to ensure that they remain appropriate.
5.3.4 Cashback service – PayLead
The Bank will offer a cashback service in association with Paylead. If you subscribe to this service, your data will be sent to Paylead in pseudonymised form. Paylead requires information relating to your card payments (credit and debit) to determine the cashback to which you are entitled. Your data will no longer be forwarded as soon as you unsubscribe from the cashback service.
5.3.5 Stock market orders – custodians
For placing and executing orders on the stock market, your PD are not passed to an intermediary (Euronext, Euroclear, etc.) The same applies to the custodians with whom the Bank cooperates.
However, the Bank may need to disclose your PD to intermediaries or custodians in the context of information requests made under the regulations in force.
5.3.6 KEYPLAN AND KEYPRIVATE
If you sign up for the KEYPLAN or KEYPRIVATE products, the Bank will take the necessary steps to open the custody accounts associated with your KEYPLAN or KEYPRIVATE product, and will enter the information required in its computer system so that it can offer you your chosen service.
None of your PD is shared with a third party in order to offer you these services.
5.3.7 Keytrade Pro – Saxo Bank
If you subscribe to the Keytrade Pro service, your PD will be sent to Saxo Bank in order to fulfil the contract, which includes for the execution of your orders, as well as to comply with regulations.
5.3.8 Payment of invoices – Zoomit
If you have registered for the Zoomit service (CodaBox SA) for the payment of your bills, the Bank and Zoomit will process your PD in order to fulfil the contract you have entered into with Zoomit.
5.3.9 Debt recovery
When the Bank holds a claim for credit (balance exceeded, unauthorised overdraft, etc.) against you which has not been repaid within a certain period, it will send your data to its partner with a view to recovering the debt, in compliance with the regulations in force.
If your data are transferred to our partner, you will be notified by post.
5.3.10 KEYHOME – Crefius
As soon as you submit a mortgage loan application, the Bank will send your data to Crefius, with whom it cooperates for the drafting of documents relating to your mortgage loan application (ESIS, loan offer, etc.). If you sign a mortgage loan agreement with the Bank, payment tracking and the risks of your loan are managed by Crefius (recovery of outstandings, one-off repayment, drawdown by tranche, etc.)
5.3.11 KEYHOME – partners
Keytrade Bank has entered into partnerships in order to market the KEYHOME product to customers of certain partners. These partners act in their capacity as credit intermediaries or introducers of business. They send your data to the Bank, either to be able to contact you following your interest in the product, or to examine your mortgage loan application specifically.
You will be informed by the partner before any transfer of PD to the Bank.
5.3.12 Branch 21 and Branch 23 insurance
During 2021, the Bank will offer its customers Branch 21 and Branch 23 insurance products marketed by a partner. If you wish to take out one of these products via the Bank, the Bank will be required to transfer your data to its partner in order to conclude the Branch 21 or Branch 23 insurance policy.
As part of its handling of complaints, the Bank must process, and possibly transfer, PD to the parties involved (the person making the complaint, the persons involved in processing the case, Test Achats, Ombudsfin, etc.) in order to be able to respond to the complaint and defend its interests. The Bank will only process and disclose those PD it deems necessary for due and correct handling of the claim.
5.4 Contractual relationship – means of communication
5.4.1 Telephone calls
Recordings are not communicated to third parties unless provided for by statutory provision, or if this is necessary in connection with the management of your contractual relationship (e.g. you have filed a complaint).
All telephone communications between the Bank and its customers and prospective customers is kept for at least one year for evidentiary purposes and quality analysis. The legal grounds for recording telephone calls lies in taking pre-contractual measures or in the fulfilment of the contract if a banking relationship already exists.
A longer retention period is provided if the purpose so requires. In particular, these are the following purposes (see section "Retention period"):
- If your call is made in the context of a complaint or legal proceedings;
- If we need to keep the recording in connection with one of our legal obligations (AML-FT, market abuse regulations, MiFID).
5.4.2 E-mails and written e-mail exchanges
The Bank uses various software programs for sending, processing and receiving e-mails. For sending e-mails, the Bank uses in transit encryption methods which are applied in accordance with the software sending the e-mail and the content of the e-mail, provided that the server receiving the e-mail supports encryption.
In order to guarantee optimum security for the exchange of information, the Bank has set up a “Secure Message Box” on the application and the Transaction Website, which allows it to communicate directly and easily with its customers in relation to matters such as corporate actions, order execution problems, etc. Unlike e-mail, sending communications via the Secure Message Box makes it possible to significantly limit the involvement of third parties in the sending and receiving process. Only Amazon Web Services is used for data hosting.
A general retention period applies to e-mails and other electronic exchanges (Secure Message Box), provided that there is no regulatory obligation to retain information for a longer period of time (see section "Retention period").
5.4.3 Hard copy correspondence
In general, the Bank favours electronic communications over paper correspondence. Nevertheless, the customer may express their preference for receiving certain information in hard copy (e.g. account statements).
For hard copy correspondence sent automatically (e.g. account statements, information to be sent to all customers in connection with a specific product), the Bank uses the services of Publimail.
For incoming correspondence, the Bank uses Merak’s scanning services. Once the correspondence has been scanned, the scanned version is sent to the Bank, which will deal with your correspondence. Hard copy correspondence shall be destroyed unless the Bank is required by law to retain the original.
A general retention period of one year applies to all hard copy correspondence, provided that a longer retention period is not legally justified.
5.5 Legitimate interests
The Bank also processes your data in order to pursue its legitimate interests. For this purpose, whenever it processes data, the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms.
For processing activities that are based on legitimate interest, you always have the right to object to processing. In this case, the Bank will no longer process your data for this purpose unless its rights take precedence over your fundamental rights and freedoms.
PD are thus processed for the purposes listed below.
5.5.1 Models, statistics
For the production of models (risk, marketing, forecasts and other) and statistics, the Bank always uses anonymisation techniques.
For the production of models and statistics, the Bank processes a number of anonymised data such as:
- transaction data in order to better understand use of its services with a view to improving them; monitoring the Bank's activities, in particular measuring sales, the number of calls and the number of people visiting the Bank's Transaction Website, as well as ascertaining the most frequently asked questions by customers, etc.
- data extracted from documents produced to analyse and predict the Bank’s exposure to risks and, if necessary, take measures to reduce this exposure.
5.5.2 Direct marketing
The promotion of products and services marketed by the Bank in compliance with regulations (see "Direct marketing"). The Bank has carried out a meticulous analysis to define both the products and services that may be the subject of direct marketing and also the customers to whom this marketing may be sent. You can request a copy of the analysis carried out by the Bank at any time.
5.5.3 Staff training
Your interactions with the Bank which are retained may be anonymised for staff training purposes (telephone calls, e-mail exchanges, etc.). Safeguarding property and people, combating fraud and attempted hacking, malpractice and other offences imply that images recorded by video-surveillance cameras are only saved in order to safeguard property and people and to prevent malpractice, fraud and other offences that may be committed against our customers or the Bank.
In some cases, the Bank will only process your PD if it has specifically obtained your consent to do so.
Only functional (login) cookies and other similar technologies, which are necessary for the proper functioning of the Bank's Website, will be automatically enabled during your visit. Other cookies (usability, statistical, advertising or tracking cookies) will only be enabled if you give your consent. You can find more information about how cookies work and how you can restrict or delete cookies in our Cookies Policy.
5.6.2 Competitions, games, events and seminars (KEYPRIVATE and KEYPLAN)
Participation in games, competitions and events organised by the Bank also requires the processing of your PD. The Bank undertakes to process your data exclusively in connection with the organisation of the competition, game, event or seminar. Your data will not be used for the purposes of follow-up marketing.
In the event that the competition, game, event or seminar is organised by a third party or if the Bank calls on the services of a third party for its organisation, you will be informed of the transfer of your PD when you share them with us.
We analyse the results of surveys conducted among our customers and prospective customers, as well as their views when they are in contact with us, in order to improve customer relations and our products and services.
Before taking part in a survey, we will ask for your consent and possibly ask you to sign a document for the use of images and recordings.
The Bank may call on the services of a third party to conduct the survey. In this case, the third party will have undertaken contractually to comply with regulatory provisions, and the Bank will have taken steps to ensure this (see section "our security system").
5.6.4 Direct marketing
For customers who have been provided with the option of giving their consent when opening a bank account, the Bank relies on this consent to send them direct marketing (opt in/opt out – see section "Direct marketing" below).
5.6.5 Keyhome – Cardif and Ethias
For insurance linked to your mortgage loan, the Bank has entered into partnerships with Cardif for outstanding balance insurance and Ethias for fire insurance. If you give your consent, Cardif and Ethias may pre-complete the insurance form using the data you have already provided to the Bank
6 Direct marketing
Depending on the date on which you opened the bank account, you may or may not have had the possibility to give your consent to receive direct marketing communications.
If you gave your consent to receiving direct marketing when entering into the banking relationship, the Bank will process your PD, and in particular your contact details, to send you direct marketing (opt-in). If you did not give your consent when entering into the banking relationship, the Bank will not send you any advertising communications or process your data for this purpose (opt-out).
If the Bank did not request your consent when the banking relationship was entered into, the Bank sends direct marketing on the basis of its legitimate interests (soft opt-in). You can request a copy of the Bank's analysis of its legitimate interests.
In practice, this means that you may be contacted in the following cases, for example:
- about products or services in which you have shown an interest (for example, by registering for an information session or by performing a simulation of the product or service);
- when the Bank markets products or services which, according to the Bank's analyses, match your requirements; the Bank analyses the results of its marketing activities to measure how effective its campaigns have been and thus in order to offer you, as a customer, more relevant services and products;
In connection with its direct marketing, the Bank may contact you by e-mail, telephone (text message and telephone calls) or by ordinary post. The Bank will choose the most appropriate and least intrusive method of communication, depending on the purpose of the communication. The Bank favours e-mail communications in order to inform you about existing or new products and services.
Any advertising communication sent by the Bank contains a link enabling you to easily withdraw your consent and/or object to the processing of your data for marketing purposes.
You can also indicate at any time that you no longer wish to receive direct marketing by logging on to the Transaction Website > Preferences > Personal Data > Communication. The Bank will never process your data if you have withdrawn your consent or have objected to the processing of your PD for marketing purposes.
The Bank does not send advertising communications if you do not have an active banking relationship with us (prospective customers and customers whose accounts have been closed are therefore excluded).
7 Cookies and similar technologies
8 Profiling and automated decisions
Profiling is the automated processing of your PD to assess certain personal factors such as your interests or your personal preferences, etc.
In order to offer you certain products and services quickly and efficiently, your PD may occasionally be processed in an automated manner either fully or in part, which may result in a decision with legal effects or similarly significant effects on you. This is automated decision-making.
There are three forms of profiling:
- Profiling in general (which has no legal effects on you);
- Human decision-making based on the results of profiling (which has no legal effects on you);
- A fully automated decision (which has legal effects or similarly significant effects on you).
8.1 Profiling in general
The Bank markets a wide range of financial products and services (savings accounts, investment services, pension savings, insurance, mortgage loans, consumer credit, etc.) In order to identify the products and services that actually correspond to your needs, the Bank implements profiling based on some of your PD.
Thanks to profiling, the Bank is able to write customised direct marketing and limit correspondence to communications which it believes are relevant to you. The products and services will remain accessible to all the Bank's customers, unless excluded by law, even if the profiling has not identified that the products correspond to the needs or interests of certain categories of customers.
You can object to profiling for marketing purposes at any time by logging on to the Transaction Website > Preferences > Personal Data > Communication. Each advertising communication also contains a link which allows you to easily object to profiling for marketing purposes.
The Bank also performs anonymised profiling for other purposes, such as:
- for statistical purposes;
- to better understand the behaviour and needs of the Bank's customers and to improve services;
- to analyse the browsing behaviour of visitors to the Bank's Website.
Where the Bank uses profiling based on its legitimate interests, it will carefully assess the legitimate interest in advance to determine whether profiling activity is justified. It will also, in any event, take the necessary measures to minimise any impact on your rights and freedoms.
8.2 Human decisions based on profiling results
These occur when an application is made for a mortgage loan or credit card. The decision of the case manager to grant or refuse you a mortgage or loan will in part be based on the result of profiling carried out by an algorithm. This algorithm uses the data you have sent to us as part of your application for credit, as well external data (from the Central Individual Credit Register). This algorithm assesses your ability to repay the mortgage or loan you have applied for, and aims to enable the case manager to make a quick and non-discriminatory decision.
8.3 Automated decisions which have legal effects or similarly significant effects on you
A fully automated decision is a decision made with regard to an individual using an algorithm applied to their DP without any human intervention in the process (Recital 71 and Article 22, GDPR).
This is the case with KEYHOME and KEYPRIVATE simulations, which are available on the Bank's Website. In the event of a rejection by the algorithm, for whatever reason, this is a decision that may have legal effects on you.
In some cases, the decision not to grant a credit card is also made on the basis of a fully automated decision. The algorithm takes into account various elements of your application and consults the Central Individual Credit Register database to determine whether it should decline the application.
In the case of a fully automated decision, you will receive an immediate response to your application.
In all cases where an automated decision has legal effects or similarly significant effects on you, you have the right to request human intervention and to be provided with an explanation of the decision taken following this type of evaluation, and to potentially challenge the decision.
9 Retention period
As regards retention periods, a distinction should be made between active databases and archive databases. Customer data relating to their banking activity and the products they have taken out are kept in an active database for as long as they use the product and their banking relationship continues. As soon as all of a customer’s banking activities have ceased, all of their data are transferred to an archive database. When a customer no longer has a product, only the data for that product will be archived. When the data are placed in an archive database, the Bank no longer processes the data unless there is a regulatory obligation to do so, and merely retains the data.
The Bank ensures it does not store your personal data in the active database for any longer than the period necessary for the processing activity for which they have been collected.
When assessing the retention period of your PD in the archive database, the Bank takes into account the applicable regulatory requirements (e.g. requirements resulting from the AML-FT Act).
9.1 Prospective Customers
Your personal data (information relating to the opening of your account, as well as written and verbal communications) as a prospective customer will be held for a maximum period of one year. After this time, your data will automatically be deleted from our database.
The Bank applies several retention periods to PD, according to the applicable regulations and the documents concerned. Where a particular retention period applies to a document, this retention period is specified in the section relating to this document (reports).
In this section, you will find an explanation of the different retention periods that the Bank has selected, as well as the data to which the period applies.
9.2.1 Retention period for identification data
Your identification details will be kept for ten years from the date of closure of all your accounts with the Bank (Article 60 of the AML-FT Act). This period may be extended in certain cases, for example if you end your banking activity but have a current mortgage loan or in the event of a dispute (until the dispute is settled).
9.2.2 General retention period for verbal and written communications
The Bank applies a general retention period of one year for all communications (telephone, as well as electronic and paper correspondence) that it has with its customers for evidentiary purposes and provided that no regulation justifies longer retention of the data (see below).
The Bank relies on Article 5.1 c) of the GDPR, as well as Recital 39 of the same Regulation, and the fact that the first communications relating to a particular problem make it possible to better understand the origin and any solutions put forward by the Bank to justify the general period of one year.
You may request a copy of the telephone and written communications you have had with the Bank at any time, provided that you submit your request within the retention period indicated in this Policy. The Bank cannot be compelled to produce a document which it has deleted in compliance with the applicable regulatory deadline.
9.2.3 Retention deadline for transaction information
In accordance with Article 60 of the AML-FT Act, information relating to a particular transaction will be kept for a period of ten years from the date of the transaction.
Specifically, if your telephone call or correspondence is categorised in our computer system as being related to a particular transaction within the meaning of Article 60 of the aforementioned law, we will apply the ten-year period rather than the general one-year period.
9.2.4 Retention period for stock market orders
Any information that falls under the Market Abuse Regulation or MiFID will be kept for a period of five years.
Specifically, if you place an order on the stock market by telephone or in writing, the Bank will keep the data relating to this order for a period of five years from the date on which the order was placed on the stock market (instead of the general one-year period).
9.2.5 Retention period for data relating to a complaint or legal proceedings
If you formally submit a complaint to the Quality Care Department, submit your complaint to Ombudsfin or a lawyer, or if your complaint is the subject of legal or arbitration proceedings, the Bank will retain the data relating to the complaint and/or legal proceedings for a period of ten years from the date of closure of the complaint or legal proceedings.
9.2.6 Retention period for data produced by the Bank (templates, statistics, etc.)
For statistics, models, lists of registrations for seminars and other data generated by the Bank on the basis of its customers’ data, a general two-year period is applied. The two-year period is justified because models and statistics must be empirically verified and potentially be refined on the basis of the findings made so that the Bank can continuously improve its services and better meet the expectations of its customers.
9.2.7 Retention period for video surveillance cameras
Data collected using surveillance cameras are retained for a shorter period (one month on a rolling basis for images recorded by surveillance cameras unless the content of an image justifies a longer retention period).
10 Security measures for data management
10.1 Our security system
10.1.1 Monitoring the security of computer systems
The Bank takes the necessary measures to ensure that the confidentiality of your data is guaranteed. To do this, the Bank regularly checks that its computer systems guarantee an appropriate level of protection. In addition, the Bank authorises certain third parties to also monitor the security of the Bank’s computer systems.
10.1.2 Privacy by Design
For each project involving the processing of PD, the DPO Team checks compliance with the GDPR principles (e.g. processing only the data necessary for each specific purpose – Privacy by Default) and ensuring that the appropriate technical and organisational measures, in accordance with the international rules and standards in force and those recommended by the Crédit Mutuel Arkéa Group, have been implemented (Privacy by Design). The project can only be marketed or published once validated by the DPO Team.
Each change to PD processing activities is also the subject of a more concise analysis by the DPO Team.
The Bank therefore ensures that appropriate technical and organisational measures have been taken to guarantee that your PD are adequately secured against loss, amendment or disclosure to unauthorised persons. PD
If, however, the Bank identifies an incident posing a risk to your rights and freedoms, it ensures, in line with regulatory requirements, that it reports this to the Data Protection Authority (DPA) as soon as possible, that it informs the data subjects and immediately takes the necessary steps to minimise any damaging consequences that the incident may have for them.
10.1.3 Transfers to partners (data processor and separate data controller)
As you will have read in this Policy, for some services the Bank uses specialist partners who act as separate data processors or controllers. The Bank ensures the protection of your PD by appropriate provisions in its contracts with these partners, and only uses partners which implement the appropriate technical and organisational measures. If necessary, the Bank supplements the partner's contracts and documentation with other suitable measures such as an annual questionnaire, on-site audits, etc.
When PD need to be transferred to a partner, the DPO Team must examine the transfer before its implementation and ensure that the Bank only makes available to the partner the PD necessary to carry out its mission successfully (Privacy by Default).
Under no circumstances does the Bank share your PD with third parties without there being a specific purpose justifying the transfer of PD.
When the Bank works with data processors located outside the European Economic Area (EEA), it takes appropriate measures (Standard Contractual Clauses, technical and organisational measures and data protection impact assessments – Articles 35 and 46 of the GDPR) to guarantee that your PD are properly protected in the destination country. In such cases, the Bank ensures (for example, through contractual measures and checks on the technical and organisational measures implemented) that the PD are processed with the same level of security as that required under European regulations.
10.1.4 Internal access to your data
In accordance with the regulations, the Bank has put in place procedures ensuring that only the data needed for employees to be able to carry out their duties are accessible to them.
This means that, for example, data relating to mortgage loans are only accessible to employees of the department’s handling this service.
10.1.5 Staff training and awareness-raising
All Bank employees are made aware of PD protection issues through annual training. The Bank ensures that its employees comply with the code of ethics setting out the instructions for the processing of PD.
10.2 Action you can take
Data security is a matter for everybody.
You can also help keep your PD secure by following the advice below:
- use the most recent operating system on your device and install all security updates;
- use the most recent version of your web browser and install all security updates;
- install antivirus software, anti-spyware software and a firewall, and adjust your preferences so that these safeguards are updated regularly;
- do not leave your device or your login details unattended;
- log off the Transaction Website and the app if you are no longer using these;
- keep your codes confidential;
- only log in from devices that you trust and do not use shared computers/devices for sensitive transactions.
The Bank will never ask you for your account numbers, debit or credit card numbers, passwords or codes by e-mail or telephone (or text messages/the app, etc.) Therefore, never share this information by any means under any circumstances! If you call the Bank, it may need to identify you. It will do this by asking you some personal questions.
11 What are your rights?
11.1 Right of access
You have a right of access to the PD concerning you that are processed by the Bank.
The Bank takes all necessary measures to ensure that your PD are correct, up-to-date, complete and relevant. For this reason, the Bank asks you to keep it informed of any changes (new home address, new identity card, acquisition of a new nationality, etc.) If you discover that your data are inaccurate or incomplete, you can ask us to make corrections (see section "How can you exercise your rights?")
11.2 Right to rectification
You can amend some of your personal data yourself by logging on to the Transaction Website > Preferences > Personal Data > Communication. The Bank consults the National Register in relation to certain PD amendments made by you. This is because the Bank must ensure that the change made matches information held in official databases.
For data that you cannot change yourself on the Transaction Website, you also have the right of rectification in the event of an error or omission. To exercise this right, you may send an e-mail to firstname.lastname@example.org, clearly specifying the reasons why you think the data should be corrected and attaching any documents that show this to be the case.
If the Bank corrects data concerning you which it had previously shared with a third party, it will also notify the third party.
11.3 Right to be forgotten
In some specific cases, the regulations allow you to have your PD deleted from the Bank's database.
This is the case, in particular, if the data are no longer necessary to achieve the purposes for which the Bank collected them, if the processing of your data is based solely on your consent and you decide to withdraw it, or if you have objected to the processing of your data and there are no legitimate grounds for the Bank which take precedence over yours (for example, because you provided your PD with a view to submitting an application for a mortgage loan that you did not ultimately take out).
However, the Bank may store your PD when they are needed for establishing, exercising or defending its rights in court, or for the Bank to comply with its statutory obligations (see section "Retention period").
11.4 Right to restrict processing
This right of objection enables you to ask the Bank to temporarily stop processing your PD in specific cases defined by regulations.
You can ask for your data to be blocked:
- when the data in question are inaccurate, incomplete, ambiguous or out of date, for the amount of time needed to enable the Bank to check the accuracy of your data;
- when collecting, processing, disclosing or storing them is prohibited;
- when the data are no longer needed to achieve the purposes of processing;
- for the period of time needed by the Bank to assess the merits of an objection request.
If you have exercised this right, the Bank may retain your data but it will no longer be able to process them unless you provide your consent to do so, or in order to establish, exercise or defend its rights (or the rights of another person) or in cases provided for by the regulations.
11.5 Right to data portability
By virtue of this right, you may ask the Bank to send your PD to you or to send them directly to another data controller, where this is technically possible for the Bank. This right only applies to data which you yourself have supplied to the Bank and which are automatically processed on the basis of the contract or your consent.
You can submit a request using the following form
11.6 Right to withdraw your consent
When your data are processed because you have provided your consent, you have the right to withdraw this consent at any time. However, withdrawing your consent does not call into question the legality of the processing carried out during the period before you withdrew your consent.
11.7 Right of objection
You have the right to object, for reasons relating to your particular circumstances, to any processing of your PD which is based on the Bank's legitimate interests. However, the Bank will be unable to grant your request if there are legitimate and overriding reasons that prevail over your interests, rights and freedoms, or if the processing of your data is required in order to establish, exercise or defend its rights in court.
Furthermore, you always have the right to object, without justification and at no cost, to the processing of your PD for marketing purposes (see section "Direct marketing"). If you do so, your data will no longer be used for this purpose.
12 How can you exercise your rights?
Customers can send their request from their authenticated e-mail address (i.e. either the e-mail address they entered when opening their account, or any e-mail address they provided subsequently which has been validated by the Bank) to email@example.com, without having to attach a copy of their identity card.
If you no longer have access to your authenticated e-mail address or are not a customer, you must send your request to the Bank together with a legible copy of the front and back of your identity card by e-mailing firstname.lastname@example.org in order to exercise your rights.
Following receipt of a complete request from you, the Bank will assess its validity. If you are entitled to exercise the right invoked, it will take the necessary action as swiftly as possible.
In all cases, the Bank will respond to you within one month. If your request is complex, the Bank will inform you within one month and will contact you again with the information requested within a maximum additional period of two months.
If you request any copies or additional information when exercising your right to access your PD, the Bank may charge you a reasonable amount for administrative costs.
13 Who should you contact in the event of a complaint?
Should you have any complaints about how your PD are processed, you may submit an application for mediation to the Data Protection Authority at the following address:
Autorité de protection des données Rue de la Presse 35 1000 Bruxelles Tél : +32 2 274 48 00 Mail : email@example.com