Rabobank in business

1. Preamble

1.1 As part of their business operations, banks and insurers (hereafter: ‘financial institutions’) process personal data and find it important that these personal data are handled with due care and that they are treated as confidential.

1.2 The Data Protection Act (Wet bescherming persoonsgegevens), hereafter: WBP, aims to provide guarantees for the protection of the privacy of natural persons in respect of the processing of personal data.

1.3 The Netherlands Bankers’ Association (Nederlandse Vereniging van Banken), hereafter: NVB, and the Association of Insurers (Verbond van Verzekeraars), hereafter: VvV, have drawn up earlier codes of conduct relating to the Data Protection Act (Privacy Code of Conduct for the Banking Industry (Netherlands Government Gazette 207, 25 October 1995), and the Code of Conduct for the Processing of Personal Data in the Insurance Industry (Netherlands Government Gazette 44, 5 March 1998), in which legal regulations are worked out in further detail.

1.4 NVB and VvV wish to make their respective codes of conduct consistent with the WBP and integrate them into the Code of Conduct for the Processing of Personal Data by Financial Institutions (hereafter: Code of Conduct).

1.5 The Code of Conduct aims:

a. to provide financial institutions with guidelines on the treatment of personal data,

b. to provide information to individuals whose personal data are (or will be) processed by financial institutions, and

c. to contribute to the transparency of the rules applied in respect of the personal data processed and to be processed by financial institutions.

1.6 Based on section 25 of the WBP, NVB and VvV have asked the Board for the Protection of Personal Data (College bescherming persoonsgegevens), hereafter: CBP, to assess whether this Code of Conduct is a correct elaboration of the WBP and/or any other legal regulation governing the processing of personal data.

1.7 CBP has assessed this Code of Conduct and subsequently declared that […].

2. Definitions

For the purpose of this Code of Conduct the following terms are defined as:

a. Filing system: any structured set of personal data which is accessible according to specific criteria and relates to different subjects.

b. Data subject: the individual to whom a personal data relates as detailed in 3.3.

c. Processor: the individual processing personal data on behalf of the controller without being subject to his direct control.

d. Special categories of personal data: personal data relating to a subject’s religion or philosophy of life, race, political persuasion, health, sex life, membership of a trade union, as well as criminal offences and personal data relating to unlawful or objectionable conduct in connection with a ban imposed in respect of such conduct.

e. Special risk: the situation in which an individual is denied compensation as a result of the deliberate provision of incorrect information, or if an insurance policy has been cancelled or otherwise terminated as a result of the provision of incorrect information on the loss experience.

f. CBP: the Data Protection Board (College bescherming persoonsgegevens), as referred to in section 51 of the WBP.

g. Customer: the natural individual with whom a financial institution maintains or has maintained a legal relationship, or the natural person who has indicated that he is considering to enter into a relationship with a financial institution.

h. Third party: any individual other than the data subject, the controller, the processor, or any other individual, who, under the direct control of the controller or the processor, is authorised to process personal data.

i. Financial institution: a bank and/or insurer.

j. Officer: the individual in charge of data protection as referred to in section 62 of the WBP.

k. Functional unit: the group of individuals involved in a direct or similar fashion in the purpose for which medical data have been requested or provided.

l. Code of conduct; the Code of Conduct for the Processing of Personal Data by Financial Institutions.

m. Group: the economic unit in which legal entities and companies are connected organisationally and to which a financial institution belongs.

n. Personal data: any information relating to an identified or identifiable natural person.

o. Controller: the legal person, which alone or jointly with others, determines the purposes and means of the processing of personal data, or the legal person designated for this purpose within a Group.

p. Processing of personal data: any operation or set of operations which is performed upon personal data, such as collection, recording, organisation, storage, alteration, consultation, use, disclosure and destruction.

q. WBP: Data Protection Act (Wet bescherming persoonsgegevens).

3. Description of the sector, scope and data subjects

3.1 The sector

The code of conduct applies to credit institutions that are members of the Netherlands Bankers’ Association (Nederlandse Vereniging van Banken, NVB), as well as to any banks associated with Rabobank Nederland and to insurers that are members of the Association of Insurers (Verbond van Verzekeraars).

3.2 Scope

This code of conduct shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system where such is effected by a financial institution as part of normal business operations. The processing of personal data in connection with incident registers by the security departments of financial institutions and the processing of personal data in the capacity of employer fall outside the scope of this code of conduct.

3.3 Data subjects

Within the framework of the activities set out in article 5, the personal data of the following data subjects are processed:

a. customers;

b. individuals whom a financial institution aims to approach in order to persuade them to enter into a legal relationship;

c. individuals approaching a financial institution;

d. individuals whose personal data a financial institution is obliged to process under a legal regulation (for instance permission from the spouse under section 88, book 1 of the Dutch Civil Code) or in view of prevailing terms of prescription;

e. individuals whose personal data a financial institution is obliged to process in connection with contractual or legal obligations vis-à-vis a customer or a third party.

4. Principles governing the processing of personal data

4.1 Personal data shall be processed fairly and lawfully.

4.2 Personal data shall be collected for specified, explicit and legitimate purposes.

4.3 Personal data shall only be processed if and insofar as such is consistent with at least one of the following legal grounds:

a. the data subject has given his unambiguous consent for the processing of personal data;

b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c. processing of personal data is necessary for compliance with a legal obligation to which the controller is subject;

d. processing of personal data is necessary in order to protect the vital interests of the data subject; or

e. processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the personal data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the data subject, particularly the right to privacy.

4.4 Personal data shall not be processed in a way that is inconsistent with the purposes for which they have been collected.

4.5 The controller shall take measures to ensure that personal data, taking into account the purposes for which they are processed, are accurate, sufficient, relevant and not excessive.

4.6 If personal data are obtained from the data subject, the controller shall inform the data subject about his identity and the purposes of the processing of the personal data of the data subject, unless the controller may assume on reasonable grounds that the data subject is already cognizant of this. This obligation to provide information shall be fulfilled before the data are obtained.

4.7 If the personal data are obtained in any other way, the controller shall inform the data subject of this at the time of undertaking the recording of the data, or, if the personal data are destined to be provided to a third party, at the time when the data are first disclosed. The obligation does not apply if the data subject is already aware of this or if the provision of such information to the data subject proves impossible or could involve a disproportionate effort. In that case the origin of the personal data shall be recorded. Nor does the obligation apply if the recording or provision of the data is prescribed by or under the law.

4.8 If, in view of the nature of the data, the circumstances in which they are obtained or the use that is made of them, such is vital to the safeguarding of the fair and careful processing of personal data, additional information shall be provided to the data subject besides the information referred to in 4.6 and 4.7.

4.9 Within the framework of their on-line business operations, financial institutions may record and further process personal data of data subjects approaching a financial institution through the Internet. By means of a Privacy Statement on their web sites, financial institutions shall make information available on the policy concerning personal data obtained through the Internet. The statement shall contain at least the information as referred to in article 4.6.

5. Processing of personal data

5.1 General

5.1.1 Subject to the principles governing the processing of personal data, the processing of personal data by financial institutions is effected within the framework of an efficient and effective business management, with a particular focus on the following activities:

a. the assessment and acceptance of (potential ) customers, the conclusion and performance of contracts with a data subject and the settlement of payment transactions;

b. the performance of analyses of personal data for statistical and scientific purposes;

c. the performance of (targeted) marketing activities designed to establish a relationship with a data subject and/or maintain or extend a relationship with an existing customer;

d. the safeguarding of the security and integrity of the sector, including the fight against and the prevention and investigation of (attempts at) (punishable) conduct directed against the industry to which a financial institution belongs, the group to which a financial institution belongs, the financial institution itself, its customer base and staff, as well as the use of and participation in warning systems;

e. the fulfilment of legal obligations.

5.1.2 Financial institutions shall not process more personal data than is strictly necessary. They shall make these personal data only available to employees within the group, who, subject to the principles governing the processing of personal details, are authorised to handle these data.

5.1.3 Where necessary, financial institutions shall state their specific activities in the registration with the CBP, or, where applicable, with their own officer.

5.2 Processing of personal data relating to the assessment and acceptance of (potential) customers, the conclusion and performance of contracts with a data subject and the settlement of payment transactions.

5.2.1 Personal data are collected relating to the assessment and acceptance of (potential) customers and the conclusion and performance of a contract. Insofar as this involves personal data relating to health and criminal convictions, the provisions of paragraph 6 shall apply.

5.2.2 Factual data relating to claims submitted under the contracts or a certain well-defined category thereof, concluded with the financial institutions, may be forwarded to a central disclosure office set up by or for the participating financial institutions relating to activities aimed at preventing and combating fraud. For the assessment and acceptance of (potential) customers, financial institutions may provide data to and remove them from warning systems. This code of conduct does not apply to such warning systems.

5.2.3 Within the framework of the normal settlement of payment transactions, a financial institution forwards personal data to the other party. Also, unless otherwise agreed, additional data are provided to the parties involved in the further processing of personal data insofar as these are, in reason, needed for verification and reconstruction purposes.

5.2.4 Within the framework of the implementation of payment transactions, financial institutions may use the services of a processor.

5.3 Processing of personal data relating to analyses for statistical and scientific purposes

5.3.1 The processing of personal data for historical, statistical or scientific purposes shall not be regarded as incompatible with the purposes for which they were collected in the first place if the controller has made the necessary provisions to ensure that the further processing of personal data shall be effected for these specific purposes only.

5.3.2 Data warehousing and the analysis of the personal data stored in such data warehouse shall be considered as the processing of personal data for statistical purposes if the provisions of the preceding paragraph are met.

5.3.3 In order to target marketing activities at certain groups, personal data may be analysed that have been collected within the framework of marketing activities.

5.4 Processing of personal data relating to marketing activities

5.4.1 If it has been made sufficiently clear to the customer that the financial institution to whose customer base the customer belongs is part of a group, and that the financial institution considers the customer as a customer of the group, the customer may be approached by all group companies for the purpose of marketing activities, provided that the other provisions of the Data Protection Act have been met. 

5.4.2 Marketing activities primarily make use of personal data originating from the data subject himself. As a rule, if any personal data are used that have not been obtained from the data subject himself, the origin of the personal data shall be recorded and the financial institution shall satisfy itself that the WBP is complied with.

5.4.3 When the occasion arises, specialised firms are called in to handle marketing activities. Financial institutions shall ensure that a processor contract is concluded with these firms, which contains the obligations a processor should fulfil within the framework of the WBP and shall ensure due compliance.

5.4.4 Payment transactions may involve an exchange of information needed for the proper settlement of a payment order. The financial institution shall consider the content of such information as confidential and shall refrain from using it for marketing activities.

5.4.5 In the event of marketing activities, it shall always be ascertained whether a customer has made use of his or her right of objection as referred to in paragraph 7.2, in relation to the processing of personal data for these purposes.

5.5 Processing of personal data relating to security and integrity, as well as the use of warning systems

5.5.1 The processing of personal data of the data subjects other than by the security department or an officer authorised for this purpose comes within the scope of this code of conduct.

5.5.2 If these personal data are entered in a warning system for the use of Dutch-based financial institutions, in respect of which a financial institutions does not act as controller, the code of conduct shall not apply.

5.5.3 Insofar as the processing of personal data, including personal data of individuals other than a data subject, is effected within the framework of the security and integrity of the sector by a security department or an officer authorised for this purpose, this code of conduct shall not apply. In view of the nature of the processing and the special measures taken to protect the personal data, the conditions governing such processing of personal data has been laid down in the ‘Protocol in respect of the Incident Warning System for Financial Institutions’ (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen).

5.5.4 The investigation into the facts of the incident shall be subject to the ‘Code of Conduct for Personal Investigations’.

5.6 Processing of personal data in connection with legal regulations

5.6.1 In view of the legal regulations, financial institutions are obliged to provide information on their customers and other data subjects to government institutions and other institutions. The most essential legal obligations are set out below.

5.6.2 Disclosure of Unusual Transactions (Financial Services) Act (Wet melding ongebruikelijke transacties, Wet Mot): under the Disclosure of Unusual Transactions (Financial Services) Act, a financial institution is obliged to disclose unusual transactions to the legal reporting office, which has to assess whether these data might be relevant to the prevention and investigation of crimes. Which transactions should be qualified as unusual is determined by means of an indicator list. A financial institution is obliged to keep such disclosures confidential.

5.6.3 Identification (Services) Act (Wet identificatieplicht bij dienstverlening, Wid): Under this act, a financial institution is obliged to establish the identity of a customer before providing a service to such customer. The customer’s identity is established by means of documents detailed or referred to by the act. In connection with this, a financial institution shall record and keep on file a number of specific data.

5.6.4 Provision of information to the tax authorities: Financial institutions are obliged to provide information on their customers to the tax authorities. Reference is made to the tax Authorities/Banks Information Regulation (Voorschrift Informatie Fiscus/Banken).

5.6.5 Credit System (Supervision) Act 1992 (Wet toezicht kredietwezen 1992): Under the Credit System (Supervision) Act 1992, De Nederlandsche Bank N.V. is authorised to collect any information from certain financial institutions that it deems vital to its regulatory task. This will only occasionally result in a request for information on customers.

5.5.6 Insurance Industry (Supervision) Act 1993 (Wet Toezicht Verzekeringsbedrijf 1993): Under the Insurance Industry (Supervision) Act 1993, the Pension and Insurance Supervisory Board is authorised to collect any information it deems vital to the exercise of its regulatory task. This will only occasionally result in a request for information on customers.

5.6.7 Foreign Financial Relations Act 1994 (Wet financiële relaties buitenland 1994): Under this act, every institution is obliged to provide such information and data to De Nederlandsche Bank N.V. as are or may be important to the preparation of the balance of payments of the Netherlands and/or ensuring compliance with international treaties concerning the movement of capital and goods. To the customer, unless he is a resident of a country that is subject to United Nations sanctions, or unless he occurs on a list of individuals who are subject to a sanction, the submission to De Nederlandsche Bank N.V. of data needed for the preparation of the balance of payments shall be relevant only. In the event of payments involving larger sums of money, the relevant data (ordering customer, amount, nature of the payment, payee, etc.) will be forwarded to De Nederlandsche Bank N.V.

5.6.8 Securities Transactions (Supervision) Act 1993 (Wet toezicht effectenverkeer 1993): Under this act the financial institution may be required to provide data concerning financial transactions to investigative authorities within the framework of the fight against insider trading. See also section 42 of the Specific Regulation on the Supervision of the Securities Industry 1999 (Nadere Regeling Toezicht Effectenverkeer 1999) (Netherlands Government Gazette 1999, no. 12, p. 8 ff).

5.6.9 Consumer Credit Act (Wet consumentenkrediet, Wck): Under the Wck, financial institutions engaged in extending loans to natural persons falling within the scope of the Wck, should join a ‘systeem of credit registrations’ (section 14, paragraph 2 Wck). The Tiel-based Central Credit Registration Office (Bureau Krediet Registratie, BKR) operates such a credit registration system. Lenders provide data relating to the origin and settlement of financing to the BKR and also have the data submitted by other lenders at their disposal. The nature of the recorded data, the conditions for recording, use and provision and the rules for removing the data are laid down in the BKR rules and regulations. There is also a BKR code of conduct. Furthermore, in case of a dispute, individuals registered with BKR, as well as having the possibility provided in section 60 of the Data Protection Act, may apply to the BKR arbitration committee.

5.6.10 Income Tax Act 2001 (Wet inkomstenbelasting 2001) and the Income Tax Implementation Act 2001 (Invoeringsweet inkomstenbelasting 2001): Under these acts financial institutions are required to state the tax and social insurance number (SOFI-nummer) as a mandatory identifier on the information to be submitted for taxation purposes.

5.6.11 Decree on the use of the tax and social insurance number: Under this decree, insurers as referred to in section 2, fourth paragraph, under b of the Pensions and Savings Funds Act may use the tax and social insurance number for the implementation of pension schemes. The insurers are only allowed to use this number insofar as such is necessary for the performance of their tasks or for the due performance of statutory duties and in the transactions with the person to whom this number relates and in their contacts with the individuals and institutions insofar as these are entitled themselves to use the tax and social insurance number.

6. Processing of special categories of personal data

6.1 Personal data relating to a data subject’s state of health

6.1.1 Under the responsibility of the medical advisor, collecting data relating to a data subject’s state of health is reserved for individuals who are part of the Functional Unit. Reports of a medical officer, a medical expert and/or the Working Conditions Service (Arbodienst), as well as information from the therapeutic sector, shall be entered in the medical file that is kept under the responsibility of a medical advisor. The data subject has the right – preferably through a trusted doctor appointed by him or her – to inspect fully a medical file relating to him or her, except for the notes of the medical advisor, and to receive copies thereof, unless such would violate the right of privacy of the third parties discussed in the report.

6.1.2 If, within the framework of acceptance and/or claims handling a customer is asked to undergo a medical examination or an additional examination, the insurer shall point out in the medical examiner’s documents the importance of identification in order to prevent mistaken identity.

6.1.3 The collection of data relating to a data subject’s state of health from parties other than the data subject may only be effected after the data subject has authorised such collection. The authorisation shall be worded in such a way that it is solely directed towards the provision of permission for inspection or provision of data needed for handling a concrete case. The data subject about whom information is requested shall be informed on the nature of the information to be requested, as well as the purpose thereof. The authorisation shall also show that the data subject has been informed on the above.

6.1.4 Within the framework of the provision of certain services and/or products, personal data relating to an individual’s state of health, in the form of customers’ own statements, have to be processed. These personal data shall be treated as strictly confidential and only be processed insofar as such is necessary for:

a. the assessment of the risk to be insured and whether the data subject has made no objection, or

b. implementation of an insurance contract, or

c. implementation of a financing contract and whether the data subject has given his explicit consent.

6.1.5 Data relating to an individual’s state of health, that have been processed with a view to the assessment of a risk to be insured or the implementation of an insurance or financing contract shall not be used within the framework of the assessment of the risk to be insured in respect of another insurance and/or the implementation of another insurance contract or financing contract without the data subject’s consent.

6.1.6 The processing of personal data relating to hereditary traits is subject to the ‘genetic research moratorium’ (moratorium erfelijkheidsonderzoek). The text of the moratorium has been attached to this code of conduct as an annex.

6.1.7 The processing of personal data relating to an individual’s state of health that can be derived from a blood test is subject to the ‘code of conduct for HIV’ (HIV-gedragscode). The text of the code of conduct for HIV has been attached to this code of conduct as an annex.

6.2 Personal data relating to criminal offences

6.2.1 In view of a sound acceptance policy, financial institutions may inquire about facts relating to a possible criminal record of individuals to be insured and others whose interests are (co-)insured on the insurance policy applied for (including directors and shareholders of legal entities) insofar as these facts relate to a period of 8 years prior to the date of the insurance application. In this regard, the criminal record stated may only be used for the assessment of the insurance and/or financing application and legally obtained data relating to a criminal record may be used within the framework of an individual’s invoking the right to remain silent as referred to in section 251 of the Commercial Code.

6.2.2 Criminal data relating to crimes committed against any of the financial institutions belonging to a Group, or data serving to establish possible punishable conduct vis-à-vis any of the financial institutions belonging to a Group may be forwarded to all legal entities belonging to such a Group, provided that the data are solely provided to functionaries who need such data for the discharge of their duties.

6.3 Other special categories of personal data

6.3.1 Payment orders may contain special categories of personal data, such as trade union data. Execution of the payment orders implies that such personal data are processed. The processing of personal data is effected, amongst other things, through the filing of the original documents or the copies thereof, whether or not in an electronic form. Such data may only be used if such is necessary for furnishing proof.

6.3.2 Special categories of personal data are processed in connection with the use of camera surveillance as set out in paragraph 8.4, The processing of these personal data is unavoidable in view of the identification of the data subject.

7. Rights of the data subjects

7.1 Notice and rectification

7.1.1 A subject is entitled to apply in writing to a financial institution for an overview of the personal data relating to him or her, which are processed by this financial institution. Barring the exceptions mentioned in the Data Protection Act, the financial institution shall send the data subject an overview of the personal data and information relating to the processing of these personal data within four weeks after the date of the application. If the financial institution does not process any personal data of the data subject, the financial institution shall inform the data subject of this also within four weeks after the date of the application.

7.1.2 If the overview shows that the personal data are factually incorrect, incomplete or irrelevant for the purpose of the processing operation or are otherwise processed in contravention of this code of conduct or the Data Protection Act, the data subject may request in writing for rectification, addition, erasure or blocking of the data in question. A financial institution shall notify the data subject within four weeks after receipt of such request, in writing, whether or to what extent the request will be met. If the data subject’s request cannot be met, or cannot be fully met, the reasons for this shall be duly given. 

7.1.3 The above-mentioned requests for inspection or rectification shall be addressed to the controller instigating the processing. The request for rectification shall contain a specification of the personal data that need to be rectified. The controller shall ensure that the person making the request is duly identified.

7.1.4 If it is unclear to the data subject who acts as controller, for instance because the institution is part of a group, the data subject may address his request to the management of the financial institution which (he thinks) is handling the processing of his personal data. The management shall ensure that the request is duly handled.

7.2 Objection

7.2.1 If the legal ground for the processing of the personal data is comprised of the legitimate interest of the controller or of a third party to whom the data have been forwarded, the data subject shall have the right to lodge an objection against the processing of personal data in connection with his special personal circumstances. The controller shall assess within four weeks whether the objection is justified. In that case the processing of personal data of such data subject shall be ceased with immediate effect.

7.2.2 If a financial institution processes personal data with a view to solicitation for commercial or charitable purposes, a data subject may lodge an objection to this at any time free of charge. In case of objection, the financial institution shall take measures to ensure that this form of processing of personal details is ceased with immediate effect. If the data subject is directly notified for the purposes referred to above, the possibility of lodging an objection shall be pointed out to him at any time.

7.3 Compensation

7.3.1 For a request as referred to in articles 7.1.1 and 7.2.1, the controller may demand compensation to offset costs. Such charge shall not exceed the amount laid down by order in council.

7.3.2 If the data are adapted, changed or erased as referred to in article 7.1.2, or if the objection is upheld, the amount referred to in the previous paragraph shall be refunded.

7.4 Decisions based on the automated processing of personal data

7.4.1 Taking a decision solely based on the automated processing of personal data intended to evaluate certain personal aspects relating to an individual’s personality shall only be allowed if:

a. such decision is taken in the course of the entering into or the performance of a contract, or

b. such decision is authorised by law which also lays down measures to safeguard the data subject’s legitimate interests.

7.4.2 If the decision does not satisfy the data subject’s request, he shall be enabled to put his point of view forward. In that case, the controller shall inform the data subject of the logic on which the automated individual decision was founded.

8. Special subjects

8.1 Officer

8.1.1 A financial institution may appoint an officer. Only a natural person possessing adequate knowledge for the discharge of his task and may be deemed sufficiently reliable may be appointed as officer. For the discharge of his task, the officer shall be independent from the financial institution that has appointed him and shall not receive any instructions regarding the exercise of his duties. The financial institution appointing him shall enable the officer to discharge his task in a due manner and shall ensure that his activities will not be detrimental to himself. In connection with this task he shall have protection against dismissal.

8.1.2 The officer shall ensure that the financial institution complies with the regulations by or under any law that contains regulations governing the processing of personal data, and that it complies with the regulations laid down in this code of conduct. He shall prepare an annual report of his activities and findings. The officer has the powers vested in him by the Data Protection Act. The General Administrative Law Act shall be similarly applied.

8.2 Data exchange with countries outside the European Union

8.2.1 Within the framework of their service, financial institutions exchange personal data with subsidiaries and other financial institutions established outside the Netherlands. This relates in particular to transactions relating to the settlement of orders from customers or potential customers. These orders may reach a financial institution in the form of regular orders, but also in the form of electronic orders or requests for information through the Internet. Where necessary, the processing of personal data relating to such orders falls within the scope of the processing principles set out in article 8.2.3.

8.2.2 Subject to the principles governing the processing of personal data, the transfer of personal data to countries outside the European Union or the European economic space is allowed if the country in question ensures an adequate level of protection in respect of the personal data transferred.

8.2.3 If a country outside the European Union does not warrant an adequate level of protection in respect of the personal data transferred, transfer will be possible if:

a. the data subject has given his explicit consent for this, or

b. transfer is necessary for the performance of the contract between the data subject and the controller, or for taking steps at the request of the data subject prior to entering into a contract, and that are necessary of the conclusion of a contract, or 

c. transfer is necessary for the conclusion or performance of a contract to be concluded between the controller and a third party in the data subject’s interest, or

d. transfer is necessary for an important general interest, or the establishment, implementation or defence at law of any right; or

e. transfer is necessary for the protection of vital interests of the data subject, or

f. the Minister of Justice has granted permission for the transmissions or categories of transmissions.

8.3 Protection of personal data

8.3.1 Having regard to the state of the art and the cost of their implementation and the risks involved in the processing of personal data and the nature of the personal data to be protected, the controller shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or against all other unlawful forms of processing of personal data.

8.3.2 Where the processing of personal data is carried out by an external processor, the controller shall choose a processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing of personal data to be carried out. A written processor contract is concluded with such processor.

8.4 Camera surveillance

8.4.1 Financial institutions may use cameras:

a. for the security and protection of the financial institution, its customers and its employees, and

a. for the prevention, investigation and prosecution of offences, and

b. for the recording of images to support legal procedures.

8.4.2 Such use is only allowed if:

a. camera surveillance is selectively exercised, i.e. no more locations and individuals may be recorded than is necessary for the above-mentioned purposes. Insurers are also subject to the Code of Conduct for Personal Investigations (Gedragscode Persoonlijk Onderzoek);

b. the personal data obtained through camera surveillance shall not be stored any longer than is necessary for the purposes set out in article 8.4.1. In principle, such period hall not exceed one month, except if the personal data relate to an incident. In such a case, the personal data are kept for the length of time needed to deal with such incident;

c. the images obtained through camera surveillance are stored and protected in such a way as to ensure that they are not accessible to unauthorised individuals. Technical and organisational provisions shall be taken to prevent the personal data from being manipulated and in order to be able to trace and reconstruct the personal data, if necessary.

8.4.3 If there is camera surveillance, this shall be communicated in a clear fashion.

8.5 Recording of telephone conversations

8.5.1 Save for the use of training, coaching and appraisal purposes, telephone conversations shall only be recorded:

a. for verification of and research on, or as proof of orders, transactions and other (pre-contractual) agreements with the customer;

b. if such is necessary in the fight against fraudulent conduct or other offences directed against the financial institution, the group to which the financial institution belongs or customers and employees;

c. if such is in response to a statutory regulation.

8.5.2 The data subject whose telephone conversations are recorded shall, in principle, be informed of this, unless such is impossible in view of the purposes referred to under b and c of 8.5.1.

8.5.3 The recorded telephone conversations and other personal data relating to the recorded telephone conversations shall be stored and protected in such a way as to ensure that they are not accessible to unauthorised individuals. Technical and organisational provisions shall be taken to prevent the data from being manipulated and in order to be able to trace and reconstruct the personal data, if necessary.

8.5.4 The recorded telephone conversations shall not be stored any longer than is necessary for the purposes set out in article 8.5.1.

8.5.5 In the event of differences or disputes regarding the interpretation of the content of the recorded telephone conversations, the customer shall have the right to listen to the recorded telephone conversation and/or obtain a transcript of the recorded telephone conversation.

9. Auditing and supervision

9.1 Financial institutions set great store by due compliance with the regulations of the Data Protection Act. To this end, they have instructed their audit department or another similar department to oversee compliance with the Data Protection Act and this code of conduct and to report on this. The audit department of the financial institution shall lay down its findings in a report at least once a year.

9.2 To advance the audit as referred to in the first paragraph, financial institutions shall draw up internal instructions setting out the way in which the personal data are to be processed. These instructions shall be given in respect of all those subjects that require further explanation for the staff.

9.3 As part of the policy pursued by a financial institution in respect of the protection and auditing of the use of personal data, a financial institution may, in addition, appoint an officer of its own as referred to in 8.1.

10. Disputes

10.1 Data subjects in whose opinion a bank is violating the code of conduct or is otherwise acting in breach of the Data Protection Act, may address themselves to the Arbitration Committee for Banking Affairs (Geschillencommissie Bankzaken), Bordewijklaan 46, 2nd floor, 2591 XR   The Hague, Postbus 90600, 2509 LP   The Hague, telephone 070-31 05 310. The data subjects may also apply to the CBP or the court.

10.2 Data subjects in whose opinion an insurer, who is a member of the Association of Insurers (Verbond van Verzekeraars) is violating the code of conduct or is otherwise acting in breach of the Data Protection Act, may address themselves to the Insurance Complaints Authority (Stichting Klachteninstituut Verzekeringen), Postbus 934450, 2509 AL   The Hague. Data subjects may also apply to the CBP or the court.

10.3 Invoking any of the aforementioned arbitration regulations shall not interrupt the terms mentioned in sections 46 and 47 of the Data Protection Act. A data subject exercising his rights under sections 46 and 47 of the WBP shall retain his right to lodge a complaint or go to arbitration simultaneous with the institution of a procedure as set out in sections 46 and 47 of the WBP, or during or subsequent to that, or to apply for the mediation of any of the above-mentioned organisations, which cannot declare a complaint inadmissible on that ground.