KBC Brussels would draw your attention to the most important changes in this Data Protection Statement of KBC Bank.

• Clarification and simplification of the Data Protection Statement
• Addition with regard to personalised advertising and, in particular, with regard to Kate Coin and our partners (see 2.5)
• Supplement to processors (see 4.2 and 4.4)

KBC Brussels is the controller of personal data as described in this Data Protection Statement.

Every mention of ‘KBC Brussels’ in this Data Protection Statement refers to KBC Bank NV. KBC Bank NV is a member of the KBC Group, which is an integrated bank-insurance group that provides financial services. More information on the activities of KBC Bank NV and the KBC Group is available at www.kbc.com.

KBC Bank NV may modify this Data Protection Statement at any time. The most recent version is always available at www.kbc.be/en/privacy. KBC Bank NV will notify you of every all-important change to the content via its communication channels (e.g., websites, Bolero Online, KBC Brussels Mobile, KBC Brussels Touch, the Bolero app, etc.).

In addition, KBC Bank NV processes personal data on behalf of other entities in the KBC Group. In so doing, it follows instructions issued by that other KBC Group entity, which acts as data controller. This processing is included in the other entities’ data protection statements. In certain cases, KBC Bank NV also processes personal data together with other KBC Group entities as joint controllers. You can read more about this in Part 4.

We also recommend that you read KBC Brussels’s cookie policy when you use one of KBC Brussels’s digital channels, such as the KBC Brussels website or a KBC Brussels application. It explains what cookies are, which ones KBC Brussels uses, how you change your cookie preferences and how KBC Brussels protects your privacy. The cookie policy can always be found in the digital channel itself. For example, you can consult the cookie policy for the KBC Brussels website at www.kbcbrussels.be, at the bottom of the web page.

We define several categories of individuals whose personal data we collect and process:

KBC Brussels processes different types of personal data. Below, you will find an overview of the different categories of data and examples of each category.

We recommend that you read this information carefully, so that you know the purposes for which KBC Brussels may use your data. This data protection statement also contains more information about your data protection rights and how you can exercise them.

KBC Bank NV may make changes to this data protection statement. The most recent version is always available at www.kbcbrussels.be/privacy. KBC Bank NV will notify you of every all-important change to the content via its websites, Bolero Online, the KBC Brussels Mobile app, KBC Brussels Touch, the Bolero App or other communication channels.

We also recommend that you read the KBC Brussels cookie policy when you use one of KBC Brussels’s digital solutions, such as the KBC Brussels website or a KBC Brussels application. It explains what cookies are, which ones KBC Brussels uses, how you change your cookie preferences and how KBC Brussels protects your privacy. The cookie policy can always be found in the digital solution itself. For example, you can consult the cookie policy for the KBC Brussels website at www.kbcbrussels.be, at the bottom of the web page.

KBC Bank NV is a bank with operations in Belgium and a number of other countries worldwide. KBC Bank NV’s head office is at Havenlaan 2, 1080 Brussels. KBC Bank NV is part of the KBC Group (also ‘KBC Brussels’ in the following), which is an ‘integrated bank-insurance group’, i.e. KBC Brussels is a group of companies that, through close cooperation, create and distribute banking, investment and insurance products, and provide financial services.

The KBC Group principally focuses on retail customers, SMEs and high net worth customers, and mainly operates in Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland. In addition, the KBC Group operates via companies and entities in a selection of EEA and non-EEA countries. KBC Bank has legal branches in various places including Germany, the Netherlands, France, Ireland and Italy. For example, outside the European Union, this concerns countries or cities such as the United Kingdom, the United States, China, Singapore and Hong Kong. These may have their own data protection statement, which differs from this data protection statement. KBC Brussels also works with parties outside the European Economic Area. You can read more about this in 5.7.

More information on the activities of KBC Bank NV and the KBC Group is available at www.kbcbrussels.be.

KBC Bank NV is the controller of personal data in the context contemplated in this data protection statement.

Aside from that, KBC Bank NV also processes personal data on behalf of other KBC Group entities, such as where KBC Bank NV acts as an intermediary for KBC Insurance or KBC Asset Management. In cases such as those, KBC Bank NV processes the data of customers, insured persons and beneficiaries under insurance policies and under employee profit-sharing bonus programmes of those other KBC Group entities. In so doing, it follows instructions issued by that other KBC Group entity, which acts as data controller.

KBC Bank NV also processes personal data together with other KBC Group entities as joint controllers. You can read more about this in 3.5

If there are good reasons for doing so, such as are explained in this part 3, KBC Brussels may also make data available to other KBC Brussels entities, whether in Belgium or elsewhere. Or it can process this data if it has been collected lawfully from another KBC Brussels entity (in Belgium or elsewhere), Naturally, this is only possible provided there is no legal impediment, such as a confidentiality obligation or a provision of the data protection legislation.

KBC Brussels processes your data for a variety of purposes. These purposes have been grouped together below according to the applicable legal basis.

Anti-Money Laundering Act and preventing the financing of terrorist activities

• Banks must deploy all possible means to prevent, discover and/or report instances of money laundering and financing of terrorism to the authorities. This is a matter of considerable public interest.
• Specifically, KBC Brussels has to:
  • Identify you as a customer, representative or ultimate beneficial owner;
  • Verify your identity;
  • Determine your profile (in relation to the risk of money laundering), which involves collating various personal and business data, such as whether you’re a politically exposed person;
  • Check your actions and transactions, and prevent certain transactions and report them to the Belgian Financial Intelligence Processing Unit.

In the context of their obligations under sanctions rules, banks are required to screen customer details against sanctions lists.

KBC Brussels has to be in possession of a recent copy of your identity card for this purpose.

Statutory reporting duties and duties of disclosure

KBC Brussels is required to comply with various national and international laws and regulations. That is why we process personal data and report operations, transactions or orders to competent local and foreign authorities, such as financial, tax, administrative, criminal or legal bodies.

For example, KBC Brussels is required by law to share certain information with the Central Point of Contact of the National Bank of Belgium.

Prevention of market abuse and conflicts of interest

Banks are required to prevent, detect and report abuse of inside information or market manipulation and to report suspicious transactions to the authorities.  

Mandatory use of personal data in banking services in accordance with specific legislation, such as the MiFID II directive and PSD2 regulations

Other risk monitoring

KBC Brussels is responsible for appropriately controlling risks (including at group level). It is required to detect, prevent, mitigate and address risks. Examples include credit, insurance, counterparty and market risk, risks concerning information management and statutory compliance, the risk of staff, customer and/or supplier fraud, the risk of unethical behaviour by staff or breaches by them of their duties of care. This risk management has to be ensured at both central level (gathering data on customers and groups of customers) and local level (e.g., by disseminating risk alerts). All manner of other types of risk profile are also determined in this context.

Conclusion and management of contracts

Before KBC Brussels concludes a contract for a financial or banking product, it may be necessary for certain information to be processed and/or to be analysed for profiling in order to assess the application and determine the terms and conditions. This may include data collection and processing for credit applications, such as property estimates for mortgages or secondary guarantees, and the processing of contact details for bank guarantees.

KBC Brussels provides the services agreed and prepares contracts at your request, which includes the performance of the corresponding accounting and administrative tasks. This pertains to the management of your customer file, including all contracts and services.

Examples of processing operations for the performance of contracts include the administration of accounts, payments, deposits, lending, and monitoring security arrangements.
KBC Brussels processes the personal data of representatives of legal entities for authentication and communication and to exercise the company powers regarding KBC Brussels services and products. For the more complex needs and requirements of SMEs and Corporate Banking customers, KBC Brussels offers specific support and advisory services such as, for example, on growth strategy or the optimal approach to working capital.

Carrying out transactions

For payment transactions, KBC Brussels provides the payee with information on the transaction, such as general information on why the payment is not passing via a direct debit. KBC Brussels also offers account information services and payment initiation services, giving KBC Brussels access to the balance and transaction information of the accounts you hold with another bank, provided that these accounts can be accessed online. The account information is only used after you have activated the service and serves to carry out the requested service. If there are difficulties in connecting KBC Brussels to the account-holding bank, limited account information may be exchanged to resolve those problems.

Own products and services

In KBC Brussels Mobile, KBC Brussels also offers its customers products and services outside the general fields of banking and insurance, such as Goal Alert, Digital Safe, Joyn loyalty cards and Energy-efficient at home. Some of these services are also accessible to platform users.

Partners’ products and services

In KBC Brussels Mobile and KBC Brussels Touch, KBC Brussels offers its customers services of partners outside the general fields of banking and insurance. If data needs to be exchanged to ensure efficient use of the partner’s service, KBC Brussels will inform the customer accordingly, whereby KBC Brussels is usually the data controller in its environment (for payments or, for example, to pre-populate a form with your data) and responsible for the transfer of customer data to the third party. The partner company is the data controller in the context of the service to be provided (such as issuing your ticket).

To enable such apps to function properly, KBC Brussels exchanges personal data with the partner company, whereby KBC Brussels is usually the data controller in its environment (for payments or, for example, to pre-populate a form with your data) and responsible for the transfer of customer data to the third party. The partner company is the data controller in the context of the service to be provided (such as issuing your ticket).

Payment services remain the core of the KBC Brussels Mobile app. KBC Brussels integrates the Payconiq by Bancontact app in KBC Brussels Mobile so that you can easily buy something or transfer money to an acquaintance without a bank card or cash. For the latter, it suffices to select your contacts from the contact list on your phone. KBC Brussels asks your consent to allow it to view that contact list and shares your selected contacts’ mobile phone numbers with Payconiq, under the responsibility of Payconiq, in order to make the payment possible.

In the KBC Brussels Business Dashboard

In the KBC Brussels Business Dashboard, an online application for businesses, KBC Brussels also makes services of third parties available. With your account, you can log in to companies that provide specialised services for businesses, such as BrightAnalytics BV, Cashforce NV and Soluz.io NV.

KBC Brussels is usually the data controller in its environment and responsible for the transfer of customer data to the third party. The partner company is the data controller in the context of the service to be provided.
A detailed overview of all additional services can be found here: Additional services in KBC Brussels Mobile – KBC Bank & Insurance.

The KBC Brussels Mobile Regulations or the General Terms and Conditions of the relevant digital service where Kate is available specify what you can expect from Kate and how the assistant works. If Kate is unable to assist you further, she can refer you to KBC Brussels Live.

‘Extra convenience’ in KBC Brussels Mobile

If you accept the KBC Brussels Mobile Regulations, you opt for ‘Extra convenience’ - you can deactivate this feature at any time in KBC Brussels Mobile - in which case KBC Brussels will provide you with the following services:

• Kate can send you messages about products, services and applications offered by KBC Brussels. To make this possible and thus be able to predict your behaviour, wishes, risks and needs, Kate analyses historical and new data available to KBC Brussels from you personally, your family, or from your capacity as a legal representative. This includes your transaction details, your use of KBC Brussels products and services, additional services offered by our partners in KBC Brussels Mobile, such as NMBS, and insights gained from market analyses and customer behaviour.
• Kate applies these analyses to your specific situation (profiling) to be able to offer you personalised services. If you use ‘Additional services’ in KBC Brussels Mobile, KBC Brussels may use the data processed in that context to provide you with extra convenience. For example, KBC Brussels can consult the data you see when you go to the Pluxee service, so that Kate can let you know when you’re about to run out of Pluxee service vouchers.
• As a holder of a KBC Brussels Basic Account or KBC Brussels Plus Account, you receive additional information in KBC Brussels Mobile or KBC Brussels Touch, such as the location where you performed a transaction, the retailer’s brand name and logo, etc. This helps you understand the context of the transaction. We also provide information about your environmental footprint, which is based on a number of parameters such as your transactions and other relevant details KBC Brussels has at its disposal.
• You are presented with practical and useful insights. They help you understand your financial situation, such as an expected account overdraft or changes in your spending habits.
• Kate Coins in ‘Extra convenience’: Kate Coins no longer form part of ‘Extra convenience’. They are now exclusively reserved for users who have opted for the ‘Personalised’ service and accepted the accompanying terms of use. This ‘Personalised’ service is used by KBC Bank NV, CBC Banque SA and KBC Insurance NV for advertising purposes for their customers. More information in this regard can be found in KBC Brussels Mobile or at www.kbcbrussels.be. If you do not use the ‘Personalised’ service, you will not lose the Kate Coins you have earned previously in the ‘Extra convenience’ feature. You can use them until their expiry date (see the KBC Brussels Mobile Regulations for the terms and conditions). You can no longer earn new Kate Coins under ‘Extra convenience’.

You can deactivate ‘Extra convenience’ at any time without affecting the functioning of KBC Brussels Mobile. You will still be able to ask Kate any questions you have.

KBC Brussels can also communicate with you separately from the Kate terms and conditions. In that case, personal data will only be processed if KBC Brussels has another valid legal basis for doing so.

You can still ask Kate any questions, even if you’ve deactivated ‘Extra convenience’ in KBC Brussels Mobile. You decide how to use the service. This also applies to Business Dashboard users, where Kate will take into account the authorisations and access rights the company has given you. Answering some questions might require a more comprehensive analysis of personal data. This will only occur if you opt for ‘Extra convenience’ (KBC Brussels Mobile only).

As a commercial enterprise, KBC Brussels also has legitimate interests in processing personal data. These are inspired by the need to function as a business and to enable new initiatives to be developed and offered to customers. In that regard, KBC Brussels ensures that the impact on your privacy is kept to a minimum and that, in all events, KBC Brussels’s legitimate interests remain proportionate to the impact that upholding them has on your privacy. Nonetheless, if you harbour an objection to this use being made of your data, you may exercise your right to object. KBC Brussels will respect your objections, unless KBC Brussels has compelling reasons for not doing so.

There are various situations in which KBC Brussels processes personal data.

Risk management, security and combatting fraud

KBC Brussels conducts in-depth data analysis to identify major risks, such as the risk of fraud, cyber and credit risks. This includes:

• Developing and conducting or creating studies, models and statistics for various non-commercial purposes
• Detecting risk signals in internal or external sources. These could indicate, for example, that you are in arrears with the repayment of a credit or that you are involved in a fraud case or a money laundering case. A risk signal may have considerable consequences, for example that KBC Brussels won’t give you credit, or refuses or phases out the customer relationship with you
• Preventing fiscal fraud
• Guaranteeing the safety of persons and goods
• Combating fraud and detecting cyber risks. For example, every time you add a KBC Brussels debit card in the Payconiq by Bancontact app, Bancontact Payconiq Company sends data such as the card number and IP address to KBC Brussels through a secure channel, which KBC Brussels can then analyse further
• Identifying the ultimate beneficial owner (KYC)
  Putting customers in touch with third-party service providers either directly or indirectly as part of ethical due diligence. To assess the reliability of these service providers, KBC Brussels may subject them to a screening. For this purpose, KBC Brussels processes both company data and personal data of the company’s legal representative(s) and/or UBO(s)
  

Internal administration for the KBC Brussels organisation

To comply with internal and regulatory reporting and internal control, and to defend rights and communicate as a company. This includes:

• Organising the administration, (risk) management and oversight, such as the legal department, the risk management department and inspections
• Following up on the collaboration with partners acting as referrers/intermediaries for KBC Brussels or because KBC Brussels has referred you to them, and calculating any commission. For this purpose, KBC Brussels also uses data that these partners make available to KBC Brussels regarding your use of their services and the link with KBC Brussels’s services
• Supporting and facilitating the processes of customers beginning to use, using and ceasing to use products and services to avoid your having to go through an entire ID verification process again if you want to become a customer elsewhere in the KBC Group. For instance, KBC Brussels can pass on your identity data to other KBC Group companies in order to speed up their identification processes
• Determining, exercising, defending and preserving the rights of KBC Brussels or persons whom it might represent (e.g., in disputes)
• Increasing efficiency or producing other benefits for its organisation and processes
• Promoting sustainability and addressingenvironmental, social and governance (ESG) risks in its loan portfolio
• Creating segments, such as Private Individuals, Businesses and Private Banking
• Keeping your customer file up to date to improve our service to you
• Contacting and evaluating future retailers

Developing and providing certain services

To support ICT systems and software, improve processes, coach staff and improve services. This includes:

• Testing for infrastructure and process development
• Evaluating, simplifying, testing and improving processes and the website, such as by using information from cookies (e.g., preference settings and click and browsing behaviour on our website) to follow up on a simulation left uncompleted, statistics or a satisfaction survey
• Investigating, monitoring and restoring incidents and infrastructure
• Training and coaching employees, for example by recording telephone calls
• Consulting the Central Individual Credit Register for the provision of a private loan
• Gauging your knowledge and experience in relation to investments with a view to protecting investors (MiFID)
• Making calculations to supply a correct property estimate
• Using modern technologies, including artificial intelligence (for example, to consult certain customer data)
  

Developing models for customer comfort and for marketing purposes

KBC Brussels conducts in-depth data analysis to support its commercial activities. This includes building customer profiles for the following purposes:

• Gathering data from different companies of the KBC Group in these analytical models makes it possible to obtain data-driven insights that support the KBC Group in making strategic choices; and
• Developing commercial policies, taking into account customers’ behaviour and wishes

Profiling for marketing purposes

KBC Brussels processes your personal data for personalised commercial messages about KBC Brussels products and services. This includes Creation of profiles to personalise and steer direct marketing. KBC Brussels uses them to offer customers, prospects or platform users KBC Brussels’s and KBC Brussels partners’ products and services (see 2.5).

Ensuring the best possible customer experience

We understand ‘the best possible customer experience’ to mean the following:

• Customisation of product and service offers by both itself and third parties
• Contacting you in connection with services you have requested through KBC Brussels Mobile, for instance to remind you to repay your outstanding credit card balance before the due date. You can disable these messages in KBC Brussels Mobile (under Profile/Notifications)
• Managing and optimising the administrative process, for example for completing forms
• Offering technical and administrative support if you started a simulation or sales process but stopped before completing it
• Digitisation of KBC Brussels services and products to improve their accessibility and user-friendliness with additional personalised information
• Exchanging the investor profile between the KBC Group entities that provide investment advice in order to guarantee profile consistency and uniformity

Product and service offering

• Calculating and/or proposing a commercial discount. KBC Brussels calculates the commercial discount for all customers, irrespective of any specific request. To this end, KBC Brussels analyses the behaviour and a few relevant characteristics of the customer based on customer profiles.
• Answering questions from customers or prospects (such as when preparing simulations or tenders).
• Creation of profiles to tailor KBC Brussels’s commercial and product strategies to customers’ behaviour and wishes.

Offer of aggregated insights

• To assess rapidly changing consumer behaviour and thus predict economic trends.

Mobilisation of appropriations

• If a credit claim is mobilised from a credit agreement, we may disclose the obligations and, based on legitimate interest, the necessary details of the borrower and guarantor concerned to the transferee for the management of the claim. Mobilisation of credit claims is effected among things in the form of securitisation, assignment of receivables and in the context of covered bonds. The recipient guarantees the confidentiality of the data.
• KBC Brussels may disclose information about the credit agreements and the way in which they are executed to:
  • All stakeholder third parties with a legitimate interest (such as the National Bank of Belgium or third parties to whom the credit agreement may be transferred or assigned);
  • Parties that can assign a rating to relevant securitisation transactions;
• To improve the operation of market forces when credit agreements are converted into securities, the European Central Bank and the EU authorities impose reporting requirements. These reports are not by named individual but by contract detail (such as number of borrowers, term and due date of the credit, outstanding credit amount, payment arrears, characteristics of the mortgaged pledge). This information must be made available to investors in these financial instruments (often designated as asset-backed securities or residential mortgage-backed securities). You will find more on this on the website of the European Central Bank: www.ecb.int keyword: loan-level).

External real estate appraisals

• KBC Brussels uses external appraisers to revalue any real estate we hold as collateral for loans at certain times during the life of the loan, in accordance with the European Capital Requirements Regulation (CRR). These revaluations do not affect the underwriting process of the credit in question, but merely serve to comply with the CRR. To make these external appraisals practical, KBC Brussels provides the external appraisers with certain information about you and the property concerned, such as your name and contact details, the address and type of property, etc.

Corporate customers

• In order to reach corporate customers, KBC Brussels sends messages to the representatives designated by the company. These messages can be for information purposes or they can be a call to action. For the calculation of the corporate customer’s profile, KBC Brussels only uses the company’s data and not the representatives’ personal data.

To send advertising messages to the company, KBC Brussels also processes the representatives’ data. Representatives may object to this processing.

KBC Brussels will request your consent:

• To process transaction data that you have personally added in KBC Brussels applications such as KBC Brussels Mobile for commercial models and profiles;
• For geolocation (unless expressly stated otherwise);
• To process data entered by you in a simulation or competition entry form in order to send you advertising messages;
• To enter underlying data in a form that needs to be completed with certain information for KBC Brussels to be able to process the form, in which case KBC Brussels will generally ask you to check the data’s accuracy;
• To process your contact details as representative of your company when we transfer them to, for example, Cashforce;
• To process biometric data to identify you;
• To answer questions asked by third parties, unless there is another legal basis for doing so, such as a statutory duty;
• To process health data, for which we need your explicit consent;
• To send notifications from the browser regarding the Private Banking newsletter.

Each notification includes information on how to withdraw your consent. If you are no longer able to make your own wishes and needs known, a carefully drafted lasting power of attorney can guarantee that your personal wishes and needs are translated correctly from a lawful point of view, including in banking matters. KBC Brussels will respect that expression of your will and your appointed proxy holder. KBC Brussels may request your consent through all possible channels, such as KBC Brussels Mobile’s start screen, Kate or e-mail.

KBC Brussels is keen to be able to suggest a wide range of financial and non-financial products and services to you. It may do so in response to explicit requests from you or, where KBC Brussels has an idea that you might be interested in or could benefit from a given product or service.
You can receive this information through various channels: through KBC Bank branches and insurance agencies, over the Internet and in apps, in the KBC Brussels Mobile app’s start screen, by sending push messages from KBC Brussels Mobile or your browser, by e-mail, post or telephone, via Kate, and at events. In addition, the constant flow of new technologies gives KBC Brussels new ways it can embrace to serve you better. KBC Brussels regularly evaluates its communication channels in order to integrate new technologies.

KBC Brussels aims to ensure that information is provided in a way that’s clear and will choose the channel that is the most appropriate for you. If KBC Brussels knows the age, commercial offers will not be made to young persons aged under 16 unless a legal representative of theirs has consented.

If you do not opt for the personalised agreement, you may still receive direct marketing based on a legitimate interest (see 2.3). If you don’t want to receive any direct marketing at all, see 3.5, which describes how to object to direct marketing. If you are unsure as to which situation applies to you as a customer, feel free to e-mail mypersonaldata@kbc.be for help. 

Our app lets you manage certain notifications and whether you receive them or not. You can manage your notifications under ‘Settings’.

Start > Your photo or the Settings icon in the top left corner > Security and privacy > Privacy > Commercial settings > How do you want to receive commercial messages?

Depending on what kind of commercial offers you wish to receive, you can choose ‘Personalised’ or ‘Standard’.

If you choose to enter into a personalised agreement, you will receive personalised communications from KBC Brussels. The processing of personal data is therefore essential to the performance of this agreement.
The personalised agreement contains information about the services offered by KBC Brussels when you opt for the personalised agreement and on how this agreement works.

2.5.1.1. Who is offering the personalised agreement?

KBC Bank, CBC Banque, KBC Asset Management and KBC Insurance (hereinafter: ‘KBC Brussels’) have joined forces in order to make you proposals and contact you for advertising purposes in as personalised a manner as possible. These entities can share your personal data with each other for this purpose, to the extent that this is necessary and relevant in order to send you personalised commercial messages. This enables KBC Brussels to approach you based on the overall profile it has compiled of you. This is important in order to ensure that KBC Brussels makes you relevant commercial proposals based on your specific situation.
For this purpose, the entities are jointly responsible for the correct processing of your personal data and act as joint controllers. In order to exercise your rights, as described in the General Data Protection Statement, you can contact KBC Bank, CBC Banque, KBC Asset Management or KBC Insurance.

2.5.1.2. What are KBC Brussels’s legal grounds for using your personal data?

KBC Brussels will only use your personal data for personalised services if you have chosen to enter into this agreement.

KBC Brussels invokes contract performance as a basis for delivering personalised services, as described in the personalised agreement. These are:

• Analysis and use of personal data in order to create a profile of you and subsequently be able to send you personalised commercial offers and messages. You will find more information about this under 2.5.1.3
• Analysis and use of personal data in order to display Kate Deals to you on a personalised basis and to customise the Kate Deals and the Kate Coins awarded in the context of the personalised agreement, based on parameters determined by KBC Brussels and/or by KBC Brussels and the participating retailer jointly. You will find more information about this under point 2.5.1.3

KBC Brussels sends commercial messages through the electronic communication channel of your choice:  

• The personalised agreement always contains a provision for the receipt of electronic communications via push notifications from KBC Brussels Mobile, or by e-mail, text message, or WhatsApp message. You can always decide to adjust your communication preferences. This puts you in full control of how KBC Brussels sends you commercial proposals  
• For example, you may decide at any time to have these communications restricted to the channels of your choice (e-mail, push notifications and text or WhatsApp messages), or not to receive any commercial messages electronically at all. You can make these changes in KBC Brussels Mobile (Privacy > Commercial Settings), KBC Brussels Touch (Profile > Privacy > Commercial Settings), KBC Brussels Live, or at any KBC Brussels branch  

If you choose certain electronic channels, KBC Brussels may send you advertising on all products through these channels. To guarantee high-quality communication, KBC Brussels may also rely on other service providers, such as communication and marketing agencies and similar companies (e.g., Google, Facebook, Instagram, WhatsApp). Sometimes KBC Brussels only uses information it has about you or your personal profile information held by them. In other cases, KBC Brussels combines this data. Depending on the type of cooperation, they may be processors or controllers (see points 4.3 and 4.4)

2.5.1.3. What type of data processing is needed in order to provide the requested services?

In order to be able to deliver the services described in the personalised agreement, KBC Brussels must be able to predict your behaviour, needs and requirements.

KBC Brussels uses all personal data (including transaction data, data obtained from third parties, data obtained from public sources such as the Belgian Official Gazette, data and information gathered during conversations with you at the branch or other contact moments, etc.) it possesses on you and any insights it obtains based on general market analysis. KBC Brussels combines this data with other data and information relating to your family, business, etc.

KBC Brussels may make highly personalised commercial proposals to you, tailored to your needs and interests, by applying this analysis to your individual or family situation.

Data processing in the context of personalised commercial messages

KBC Brussels conducts in-depth profiling as part of the personalised agreement in order to be able to tailor the advertising messages to your needs. This is because KBC Brussels’s intention is to send you commercial messages tailored to your situation as far as possible.

These commercial messages might focus on:

• KBC Brussels’s products and services and those of carefully selected partners with whom KBC Brussels works in order to provide their services through KBC Brussels
• Both financial products such as loans or insurance products as well as non-financial products like buying train tickets, ordering service vouchers, etc.

KBC Brussels generally sends these commercial messages to you directly, rather than through its partners. This ensures that KBC Brussels can minimise data processing by its partners. KBC Brussels has also made contractual arrangements with its partners, in which they confirm that they will comply with the privacy rules.

If you use ‘Additional services’ in KBC Brussels Mobile, KBC Brussels may use the personal data processed in that context and the personal data it may receive from its partners to tailor advertising even more closely to your personal situation. You will find a list of partners that make such data available to KBC Brussels here.

Consult the partner’s documentation to learn more about exercising your privacy rights with regard to the exchange of your data between the partners and KBC Brussels.

Data processing in the context of personalised Kate Coins

As part of the personalised agreement, you can earn, obtain and spend personalised Kate Coins at the participating retailers. KBC Brussels uses the transaction data to calculate and execute the cashbacks to which you are entitled. For instance, based on your purchases, KBC Brussels can see the number of Kate Coins you are entitled to and how many Kate Coins you actually used or redeemed. KBC Brussels may also receive the data about your purchase such as the purchase price and category of the product or service from a participating retailer, for instance when you make a purchase with a participating retailer by clicking on a specific link in the Kate Coin Wallet. Based on your click, the participating retailer can infer that you are a KBC Brussels customer with a personalised agreement. The only purpose of this data exchange is to check whether you are entitled to Kate Coins and to calculate and execute your cashback.  

KBC Brussels works with a number of participating retailers:

Kate Coins are personalised based on predetermined parameters by KBC Brussels and/or the participating retailer. This enables KBC Brussels and the participating retailer to determine the target audience more accurately.  

In order to be able to deliver these parameters, KBC Brussels checks your personal data. Personal data that may be processed in this context includes transaction data, place of residence, gender, age, household composition, as well as profiles derived by KBC Brussels (from customer data), hobbies and what customers do in their spare time. This data is processed either separately or combined. KBC Brussels does not pass on this personal data directly to the participating retailer. If this personalisation takes place at the participating retailer’s request and in consultation with KBC Brussels, KBC Brussels and the relevant participating retailer are joint data controllers. Feel free to contact KBC Brussels if you have any questions about exercising your rights, as described in this general data protection statement. Since KBC Brussels automatically selects for which Kate Coins you are eligible based on the parameter(s) described above, some of these decisions may be made automatically. You can read more about how automatically generated decisions are made in the Annex to the General Data Protection Statement – Automated decision-making.

If you don't want a highly personalised offer, simply don’t select the personalised contract. Even then, however, you may still receive offers or advertising from KBC Brussels (e.g. on the KBC Brussels Mobile overview page or via e-mail, push notifications or text message). KBC Brussels sends offers using only a limited number of details based on its legitimate interest (such as who you are and where you live, your date of birth, your marital status, your contact details, family relationships, the apps and products you have, or any lack of interest on your part in certain products).

These limited personalised commercial messages may concern:

• Financial products and services from KBC Bank NV or KBC Insurance
• Non-financial products and services from KBC Brussels and from carefully selected partners in, for example, the Additional services offered in KBC Brussels Mobile, such as selling tickets; Learn more about the partners at www.kbc.be/partners. Subject to your separate consent for the electronic channels (e-mail, push messages and text message/WhatsApp), KBC Brussels may send you advertising on all products through these channels. In the absence of your consent, we will limit ourselves to advertising on products similar to those you already own. You can manage your consents via KBC Brussels Mobile or KBC Brussels Live or at your KBC Brussels branch.

In order to be able to send you the appropriate message through the correct channel, KBC Brussels may also call on other service providers. For this purpose, KBC Brussels may cooperate with communication and marketing agencies, and similar companies such as social media players (e.g. Google, Facebook, Instagram, WhatsApp). Sometimes KBC Brussels only uses information it has about you or your personal profile information held by them. In other cases, KBC Brussels combines this data. Depending on the type of cooperation, they may be processors or controllers (see points 4.3 and 4.4).

KBC Bank, CBC Banque and KBC Insurance process personal data for direct marketing as joint data controllers. This allows us to inform you of – and promote – the full range of products, services and brands that KBC Brussels offers through its physical channels and digital apps. In order to exercise your rights, as described in the General Data Protection Statement, you can contact KBC Bank, CBC Banque or KBC Insurance.

Customised commercial messages based on your consent have been discontinued. From now on, our costumers can choose between the specific offer of the tailored for your personalised agreement or the less personalised commercial messages. If you have not yet set your preferences, you will receive less personalised commercial messages. In any case, you can still choose not to get any commercial messages by exercising your right to object (for more details see the right to object section).

KBC Brussels uses platform users’ personal data to conduct direct marketing campaigns (e.g. in KBC Brussels Mobile’s start screen or by e-mail, push notification or text message) based on a legitimate interest. This may include services offered through KBC Brussels Mobile, including Kate Deals, and KBC Brussels payment solutions. For this purpose, KBC Brussels processes the limited set of personal data that the user registered when they activated the use of the KBC Brussels platform (surname and first name, address, date of birth, mobile phone number and e-mail address). If the user agrees to the use of cookies, KBC Brussels can also send offers based on click and browsing behaviour. Platform users can exercise their right to object to direct marketing, in which case they may still see an advertising message but it will be a general advertising message, for which KBC Brussels does not process customers’ personal data.

KBC Brussels may send you offers based on your usage patterns on its websites and apps, provided that you consent to the collection of this cookie data and it being used for sending personalised commercial messages. The cookie consent determines which offer KBC Brussels can send you. Your cookie data may be combined with other personal data according to the conditions set out under 2.5.1, 2.5.2 and 2.5.3.

KBC Brussels uses prospects’ contact details to conduct direct marketing activities. Commercial messages by e-mail are sent only with the recipient’s prior consent. Telephone marketing is always based on a legitimate interest, and KBC Brussels respects anyone who is listed on the Do-Not-Call Registry.

Our app lets you manage certain notifications and whether you receive them or not. You can manage your notifications under ‘Settings’.

Start > Your photo or the Settings icon in the top left corner > Security and privacy > Privacy > Commercial settings > How do you want to receive commercial messages?

Depending on what kind of commercial offers you wish to receive, you can choose ‘Personalised’ or ‘Standard’.

You can always choose not to activate the Personalised Agreement if you no longer wish to receive personalised messages or only wish to receive general advertising messages. If you no longer want to receive any advertising at all, you can object to direct marketing.

KBC Brussels does not sell or hire out your personal data to third parties for their own use, unless you opt for this yourself by giving your consent or approval or in the context of a service. This enables KBC Brussels to share your data with third parties in the context of the partners listed here (see 2.5.1.3)

Some data processing operations and processes are fully automated, without any human intervention. Some automated decisions will have a greater impact you than others, for instance in the case of a credit decision or insurance underwriting. In most cases, KBC Brussels calculates these profiles only for customers requesting or using a certain service that requires the use of these profiles (see 3.3 for more information about customer profiles). In other cases, KBC Brussels calculates these profiles in advance.

KBC Brussels will then inform you on the screens or in the terms of use of its own applications that it concerns an automatically generated decision before asking for your personal data. KBC Bank discloses the logic of this automatically generated decision and its consequences at the moment of processing itself via a link to the ‘Annex to the KBC Brussels Data Protection Statement – automated decision-making’, which you will also find at www.kbcbrussels.be/privacy.

If you are dissatisfied with the result of such a fully automated decision, you can contact KBC Bank NV via KBC Brussels Live or any KBC Brussels branch. You can, for example, ask a KBC Brussels staff member to intervene or tell them why you disagree with the decision and request to view the decision taken.
Automated decision-making is often based on an underlying customer profile.

You can view some of the data directly yourself, for example using KBC Brussels Mobile, KBC Brussels Touch, Bolero Online or the Bolero app. If you exercise your right to access, KBC Brussels will give you as complete a list as possible of your data. However, it can happen that some personal data from the usual logs, stored/archived records and back-up files is not included in that list. Such data (e.g., cookie data) is not within scope of the data processed on an ongoing basis and is therefore not readily available. It is possible to request access to this data separately.

In some cases, anti-money laundering legislation prohibits KBC Brussels from giving you access to the personal data being processed about you. For example, KBC Brussels cannot give you access to an anti-money laundering investigation.

It is possible that certain data held on you by KBC Brussels is not or no longer correct. You can ask for the data to be rectified or completed at any time via your branch or KBC Brussels Live.

Customers of Bolero services can change certain details themselves by navigating to the settings menu in Bolero Online and the Bolero app, as well as manage their communication preferences.

You can ask KBC Brussels to erase your personal data. If KBC Brussels no longer has an overriding ground for processing your personal data (e.g. a legal requirement), KBC Brussels will erase it.

KBC Brussels can process data on the basis of legitimate interest. If you do not agree with this, you can object to it. If there are no overriding grounds (e.g. data processing in the context of fraud prevention) not to do so, we will comply with this request.
Below, you will find the main types of personal data processing operations based on the legitimate interest to which you can object, and to whom they apply:

You are, of course, free to object to any specific processing of personal data at any time (see 2.9). If you do not specify the reasons for your objection, KBC Brussels will interpret your query broadly.

If you do not want KBC Brussels to use your personal data for direct marketing purposes, KBC Brussels respects your wishes. If you are a customer and you use KBC Brussels Mobile or KBC Brussels Touch, please use this form. You can also send an e-mail to mypersonaldata@kbc.be, visit your KBC Brussels branch or your KBC Brussels agency or contact our staff at KBC Brussels Live.

If you are a platform user, KBC Brussels will also ask you for the mobile phone number you used to register with KBC Brussels. Even if you exercise your right to object to direct marketing, you may still see advertising messages on KBC Brussels’s digital channels or elsewhere. These may be general advertising messages for which KBC Brussels does not process customers’ personal data, pop-up notifications about the Private Banking newsletter (for which you can withdraw your consent at any time) or personalised advertising messages for which we only use your cookie data. If you don’t want the latter, you can withdraw your consent to the collection of these cookie data and them being used for sending customised commercial messages. You can find out how to do this in our cookie policy.

Some data processing operations and processes are fully automated, i.e. without any human intervention. Some automated decisions will have a greater impact on you than others, for instance in the case of a credit decision or insurance underwriting. Automatically generated decisions are often based on an underlying customer profile. In most cases, KBC Brussels calculates these profiles only for customers requesting or using a certain service that requires the use of these profiles (see 3.3). In other cases, KBC Brussels calculates these profiles in advance.

KBC Brussels will then inform you on the screens or in the terms of use of its own applications that it concerns an automatically generated decision before asking for your personal data. KBC Brussels discloses the logic of this automatically generated decision and its consequences at the moment of processing itself via a link to the ‘Annex to the Data Protection Statement – Automated decision-making’.

You can always consult the ‘Annex to the Data Protection Statement – Automated decision-making’ at www.kbc.be/en/privacy.

If you are dissatisfied with the result of such a fully automated decision, you can contact KBC Brussels via KBC Brussels Live or any KBC Brussels branch. You can, for example, ask a KBC Brussels staff member to intervene or tell them why you disagree with the decision and request to view the decision taken.

You are entitled to ask KBC Brussels for personal data that you yourself have provided to KBC Brussels with your consent or in the process of performing a contract to be transferred back to you or to a third party.

Legislation lays down a number of limitations to this right, as a result of which it does not apply to all data

In some cases, you may ask KBC Brussels to restrict processing of your personal data. Exercise of this right is conditional. You may exercise your right to restrict processing:

• During the period needed by KBC Brussels to verify the accuracy of your personal data if you challenge the accuracy of personal data concerning you that KBC Brussels processes;
• Where processing is unlawful but you do not want the personal data erased;
• When KBC Brussels no longer has a purpose for processing the personal data but you still need it in connection with a legal claim;
  Pending KBC Brussels’s reply to whether KBC Brussels’s legitimate interest weighs more importantly than yours when you have exercised your right to object to processing for which KBC Brussels invokes its legitimate interest as legal basis.
  

Please be as specific as possible when you wish to exercise your privacy rights, so that KBC Brussels can handle your request appropriately. KBC Brussels will need to be able to verify your identity in case someone else tries to exercise your rights. If you have any questions or feedback regarding the exercise of your privacy rights, please e-mail us at mypersonaldata@kbc.be or contact your KBC Brussels branch or your KBC Brussels Insurance agent.

If you are a customer and you use KBC Brussels Mobile or KBC Brussels Touch, you can easily activate your right of access or your right to object to direct marketing. You can consult, amend or terminate the use of certain data yourself using KBC Brussels Touch, KBC Brussels Mobile, Bolero Online, KBC Brussels Business Dashboard, KBC 4 Business or a branch ATM.

If we can contact you digitally, we will give you access through the KBC Brussels Mobile app. If you prefer to receive your personal data through another channel (e.g., by post or e-mail), you should state this explicitly in your request.

You can also exercise your rights if you are a platform user, prospect or property owner. To do so, state your name, the telephone number you used to register in the application and, if applicable, the e-mail address.

If you have a complaint concerning exercise of your rights, KBC Complaints Management will be happy to look into it. You can contact KBC Complaints Management in any of the following ways: KBC Complaints Management, Brusselsesteenweg 100, 3000 Leuven, or via e-mail (complaints@kbc.be).
Alternatively, use one of KBC Brussels’s electronic channels (including the KBC Brussels website, KBC Brussels Touch, Bolero Online and the Bolero app).

You can also always contact the ‘Data Protection Officer’ at KBC Brussels by writing a letter to KBC Group NV, Group Data Protection Unit (Group Compliance), Havenlaan 2, 1080 Brussels, or sending an e-mail to dataprotection@kbc.be.

If you would like more information or if you do not agree with KBC Brussels’s point of view, be sure to visit the website of the Belgian Data Protection Authority at www.dataprotectionauthority.be. You can also lodge complaints there.

At KBC Brussels, only authorised persons have access to your personal data, and only if the data is relevant to their tasks. These persons are bound by a strict professional duty of confidentiality and must abide by all technical instructions to safeguard the confidentiality of your data and the security of the systems. When processing personal data, KBC Brussels also uses several processors, i.e. companies that process the data on KBC Brussels’s instructions.

For the processing of personal data, KBC Bank NV makes use of processors within the KBC Group based in the European Union, namely KBC Group NV and KBC Global Services NV. Processing is carried out in Brno, Sofia or Varna, for instance, by the Shared Services Centre, branches of KBC Global Services NV in the Czech Republic or Bulgaria.

Some of the data processing performed by KBC Group NV and KBC Global Services NV on behalf of KBC Bank NV relates to oversight and support functions (at group level) such as financial reporting, the compliance function, the internal audit function, the inspection and risk function, anti-money laundering checks, complaints management, marketing support, support for invoicing, money transfers, credit processing and ICT management for the KBC Group.

For ICT management, KBC Brussels uses KBC Global Services NV, sometimes in conjunction with other processors within and outside the KBC Group.
KBC Brussels also uses the services of 24+ NV (www.24plus.be):

• As a contact centre through which you can get in touch with us;
• As a contact centre to get in touch with you on behalf of KBC Brussels for the purpose of making an appointment or conducting a satisfaction survey, to inform you about ‘personalised information’ and to invite you to make a choice;
• To log data into KBC Brussels apps;
• For administrative processing on the instructions of KBC Brussels;
• To provide information to the tax authorities and the police;
• To conduct an advisory meeting following a death, and to register next of kin, heirs,legal representatives and beneficiaries in the persons database.

KBC Brussels works together with Everyone Invested, a subsidiary of KBC Asset Management NV, to analyse the conformity of individual investment portfolios with the KBC Investment Strategy. KBC Brussels exchanges anonymised data regarding the investment portfolios with Everyone Invested for this purpose.

KBC Brussels uses specialist third parties in Belgium and abroad to perform some processing operations, e.g. payments.

These are:

• SWIFT (www.swift.com)with headquarters in Belgium and establishments in many countries, for the global message exchange;
• Equens Worldline SE (www.equensworldline-nv.com), Mastercard (www.mastercard.com), Idemia (www.idemia.com) ) and, in certain cases, Bancontact Payconiq Company NV (www.bancontact.com) for payments and (credit) card transactions worldwide;
• Custodians and sub-custodians of financial instruments worldwide that are subject to local financial regulations;
• Institutions for the settlement and clearing of payments and securities transactions, such as the CEC (www.cecbelgium.be) (payment systems) and Euroclear;
• Transport companies (for cash and other valuables) and security firms;
• Consumer credit intermediaries (i.e. instalment loans);
• Entities that support KBC Brussels in complying with its anti-money laundering obligations, for example by developing and using money laundering detection models;
• Batopin NV (www.batopin.be), a network of bank-neutral ATMs, also for updating your electronic ID card details;
• Appbot Pty Ltd (www.appbot.co), for monitoring and analysing feedback from users of KBC Brussels apps;
  Renta Solutions NV for typical leasing platforms in automating vehicle ordering, vehicle registration and delivery (Order Register Deliver), maintenance, electronic invoicing (REI rS Electronic Invoice).
  

KBC Brussels may also directly or indirectly (e.g. through KBC Group NV) engage the services of other processors, such as

• Consultants;
• Third-party business introducers to fulfil its general duty of vigilance as laid down by law:
  • The obligation to identify and verify identities;
  • The obligation to identify the customer characteristics and the purpose and nature of the business relationship;
  • The obligation to update information;
• Market research agencies such as Ipsos (www.ipsos.com), Profacts (www.profacts.be), GFK (www.gfk.com) Checkmarket (www.checkmarket.com.), iVOX (www.ivox.be) en Intrinsiq (www.intrinsiq.be), DataSynergy (www.data-synergy.be) for issuing invitations as well as carrying out surveys;
• ICT and ICT security service providers and artificial intelligence companies such as Microsoft, Cognizant, IBM, Amazon and HP, and specialist fintech companies such as Onfido for facial recognition during the customer onboarding process;
• Marketing and communication agencies and similar companies, whereby KBC Brussels uses personal profile information on you that is held by them, along with the data it holds on you, to be able to make targeted offers to you via their channels (e.g. Google, Facebook, etc.);
• Companies that support KBC Brussels in identifying and analysing your user behaviour in our apps and on our websites (e.g.Adobe, Dynatrace). In preparation for the analysis of Adobe Data Analytics, KBC Brussels will rely on the services of Amazon Web Services – Cloud Computing Services. The transfer and processing of personal data from, to and in Amazon Web Services is encrypted;
• Companies specialising in information archiving and access, such as Doccle (Doccle stores information on all our customers, including those that haven’t opted for digital record-keeping). Doccle uses Amazon Web Services – Cloud Computing Services);
• Companies specialised in scanning digital documents in order to digitise files with associated info;
• Companies specialising in solvency investigations;
• Companies specialising in specific services that KBC Brussels uses when offering services to its customers, such as Meeco for offering the Digital Safe in KBC Brussels Mobile;
• Printers for printing and the addressing of news magazines, cheques and transfer forms, badges, among other items;
• Translators and translation agencies;
• Social media management tools (CX Social);
• Sworn real estate experts;
• Communications agency Motisha BV (www.motisha.com);
• Companies providing Platform as a Service (PaaS) and Software as a Service (SaaS) in the cloud, such as:
  • The Microsoft Dynamics CRM app used by KBC Brussels to maintain customer overviews;
  • VEE24’s video chat app for enabling digital communication with KBC Brussels;
  • The storage services of Microsoft Azure or Amazon, on which KBC Brussels can place its own platforms or software that process and store your personal data;
  • Security services that screen Internet or e-mail traffic with KBC Brussels for cyberattacks or phishing scams;
  • TreasurUp, with whom KBC Brussels exchanges the contact details of company representatives to enable forex transaction analysis;
  • Nomios Belgium NV to set up a secure network connection between KBC Brussels entities worldwide based on SD WAN technology;
  • Applications that facilitate and automate call recording, where appropriate, for instance as offered by Luware;

As a data controller, KBC Brussels may – in addition to using other processors – also use other service providers or third parties, such as lawyers, notaries public or doctors, who themselves are data controllers.

This is, for instance, the case for KBC Securities Services, which is a part of the KBC Group. KBC Securities is the controller of your personal data when providing services in its capacity as a broker or custodian of securities. To this end, KBC Securities Services works with other third parties such as wealth managers and private bankers. They in turn offer their own services, such as investment advice, and therefore also act as a controller of your personal data. When that is the case, another – usually shorter – data protection statement may apply since the service is also more limited. If you purchase a service from KBC Brussels that is covered by a shortened or non-standard data protection statement, you will be duly advised of this. The most recent version of the statement applying to services provided by KBC Securities Services can be viewed at www.kbcsecurities.com.

KBC Brussels can outsource the collection of arrears on, say, a loan, to specialised companies that themselves are data controllers.

KBC Brussels also distributes its own products and services in conjunction with third parties that refer their customers to KBC Brussels, for example for a loan. They do not act as intermediaries in that regard and only pass on to KBC Brussels the personal data needed to prepare tenders or simulations. The third parties are responsible for passing on the personal data. The third parties have access to a dashboard to track purchases of products.

As a bank-insurer, KBC Bank NV cooperates with KBC Insurance, with both companies acting as data controllers with respect to personal data. Specific information regarding the controllers for the direct marketing domain is provided under 3.5.

KBC Brussels can itself act as a third-party business introducer for, for example, Payconiq and Belgian Mobile ID (itsme). KBC Brussels then processes personal data as data controller. KBC Brussels transfers this personal data to the third party. Likewise, a third party may act as a third-party business introducer for KBC Brussels.

When a mortgage expires and mortgage renewal is needed, KBC Brussels will call upon the services of a notary public. KBC Brussels provides the notary public with the national registration number(s) of the borrower(s), a copy of the original registration model, the first authenticated copy of the deed or other useful information that allows the notary public to renew the mortgage registration.
When, as a retailer, you want to install an electronic payment terminal and you ask KBC Brussels to act as an intermediary in that regard, KBC Brussels will pass on your contact details to Equens Worldline SE.

If you order goods and/or services online, as a customer you will find that several online retailers offer the KBC Brussels Payment Button. This button allows you as a customer to pay for online purchases while authenticating yourself using your familiar and trusted KBC Brussels e-banking channels (e.g. Touch, Mobile, O4B).
In certain specific cases, processors whose services KBC Brussels engages (see 4.3 and 4.4) may nevertheless act as controllers for the processing of KBC Brussels data. One such case is Microsoft, which also processes personal data for activities beyond the limited scope of a processor., such as billing, internal remuneration, internal reporting and internal organisation, combatting fraud and security of their services, service improvement, financial reporting, and compliance with legal obligations applicable to them. KBC Brussels has entered into the necessary contractual arrangements with Microsoft to ensure compliance with the relevant data protection safeguards.

KBC Brussels can also cooperate with third parties such as Xerius Ondernemingsloket vzw. Xerius helps you to start up a business. During that process, Xerius may put you in touch with KBC Brussels to get your business account opened. Xerius then sends identification details to KBC Brussels. Xerius does this with your consent.

As a customer, you can ask for your balance and transactions via so-called virtual ‘Voice Assistants’ (Alexa, Google Assistant, etc.). In order to do this, you must first give KBC Brussels your consent to transfer the necessary account information to that service. The further processing, such as the electronic pronouncement of your balance by the service, is carried out entirely by the third party that provides the service to you. KBC Brussels is not responsible for that.

KBC Brussels acts as a processor of your personal data on behalf of third parties further to the execution of orders at a number of stock exchanges or when acting as a broker. This is, for instance, the case for KBC Securities Services. KBC Brussels acts as a processor for certain third parties with respect to the Additional services as set out under 3.2. KBC Bank NV acts as a processor for KBC Insurance NV for the distribution of their products.

KBC Brussels ensures that strict rules are followed and that the processors involved: have only the data they need to perform their tasks.

Have given KBC Brussels a commitment that they will process these data securely and confidentially, and only use it for carrying out their tasks.
KBC Brussels will not be liable if these processors (according to law) disclose customers’ personal data to local authorities or if incidents occur at those processors despite the measures they have taken.

KBC Brussels ensures that the European data protection standards for personal data are applied worldwide within companies belonging to the KBC Group and their branches. KBC Brussels also ensures that companies and corporate branches of the KBC Group to respond appropriately to protect the data of legal entities.

KBC Brussels takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorised parties or being accidentally altered or deleted.
Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself, and extra checks are also conducted by a specialist department in this regard.

To make online banking and investment services as secure possible, security experts at KBC Brussels continuously analyse cyber-criminal activity. so that they can hone the relevant security measures accordingly. Find out more at www.kbcbrussels.be/secure4u.

You and we together need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we must aim to use a different means of communication or to limit the amount of information sent.
KBC Brussels websites and apps may contain links to websites or information of third parties. KBC Brussels does not check such websites or information. Parties offering these websites or this information may have their own privacy policies in place, which we advise you to read. KBC Brussels is not responsible for the content of those websites, their use or their privacy policy.

KBC Brussels sometimes facilitates the publication of (personal) data via social media such as Twitter and Facebook. Bear in mind that these channels have their own terms of use, with which you must comply. Publishing data on social media may have (undesirable) consequences, including for your privacy or that of persons about whom you share data. You may not be able to delete such published data quickly. You should therefore assess the consequences yourself as the decision to disclose data on such media ultimately lies with you. KBC Brussels does not accept any responsibility in that regard.

KBC Brussels uses your personal data where KBC Brussels has a clear aim in mind. Once that aim no longer exists, we delete the data.

The period for which your personal data has to be retained is defined by law (usually until ten years after the end of a contract or execution of a transaction. For commercial claims it is thirty years after the end of a contract or execution of a transaction). The period can be longer where needed for the exercise of our rights. If no retention period is stipulated by law, it may be shorter.

For some applications, a more extended time horizon may be necessary, such as for carrying out surveys and risk and marketing models. Some insights only get clearer once they are viewed over a longer time span. This can result in the retention period being extended by ten years on top of the standard periods. As has been stated, KBC Brussels will in all cases sever connections to individuals as quickly as possible and work only with aggregated or anonymised data.

Information that you personally registered in the KBC Brussels Touch application ‘Profile yourself’ or that was registered at the branch, with the agent or in KBC Brussels Live, for example, is retained by KBC Brussels for five years.

Personal data on prospects is used by KBC Brussels for a maximum of five years unless, in the meantime, there has been contact with the prospect. In that case, a new maximum five-year period starts. Prospects can always ask for their personal data to be removed.

Legislation in some countries outside the EEA (like the United States of America or India) doesn’t always afford the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, KBC Bank can cover the deficiency by, say, agreeing the required contractual guarantees with those third parties (such as a model approved by the European Commission), providing control mechanisms and implementing technical and organisational measures.

The transfer of personal data to countries outside the European Economic Area or to international organisations was screened by KBC Brussels. This transfer either takes account of the European Commission’s list of safe countries or is based on reasonable and sufficient security measures or falls under a specific derogation from the GDPR.

The most important aspects of international data transfer are explained in more detail below. Feel free to e-mail mypersonaldata@kbc.be if you have any questions.

KBC Brussels may export some personal data relating to Corporates (e.g. contact details of representatives) to its foreign branches in Hong Kong, China, Singapore and the US, provided the corporate customer also operates in the country in question.

KBC Brussels always opts for the processing of personal data to take place within the European Union. Given the nature of certain processes (for example, when round-the-clock support is required), in some cases personal data may be transferred to processors outside the EEA.

Even if the data centre is located within the EEA, access from outside the EEA may still be possible in some cases (e.g. in case of technical problems, or when round-the-clock support is required). This is also considered data transfer outside the EEA.

For some processes, the processors’ data centres may be located outside the EEA or accessed from outside the EEA, as is the case for the United States of America.
Even if the transfer is subject to an adequacy mechanism (such as the EU-US data protection framework in the United States of America), KBC Brussels will still ascertain that third parties provide an adequate level of protection.

Some examples:

Similarly, when data is transferred to another controller in a country outside the EEA, these transfers are screened by KBC Brussels and the necessary measures are applied.
Some examples of controllers outside the EEA that may receive personal data from KBC Brussels (valid on 6 May 2024):

If you as third party have queries about customers, for example because you work for the police or are a notary public or lawyer, you can contact KBC Brussels’s Third-Party Enquiries department, Brusselsesteenweg 100, 3000 Leuven. This specialist department will answer your query subject to bank secrecy obligations and the privacy laws. KBC Bank branches and other departments will therefore refer you to that department.

As KBC Brussels has to comply with its confidentiality obligations and with the data protection legislation, it may only answer queries from third parties if they arise pursuant to a legal requirement or a legitimate interest, doing so is a prerequisite for performing the contract or the data subject has given their consent.

In the last case, KBC Brussels actually advises requesting the information directly from the data subject.

KBC Brussels declines liability if, as a result of foreign legal obligations, the lawful recipients of personal data are required to pass personal data about customers on to local authorities. Or if they process personal data without an adequate level of security.

KBC Complaints Management provides answers to the questions posed by Ombudsfin, the ombudsman for banks. Third parties must contact the ‘Third-Party Enquiries’ department.

There are certain aspects of (technical) data processing over which KBC Brussels has no, or at best insufficient, influence and for which it cannot guarantee total security. Examples include the Internet or mobile communications (such as smartphones).

If hackers are active, KBC Brussels does not always succeed in repelling their cyber-attacks in time. It sometimes doesn’t even know that it is happening, for example, if a hacker manages to obtain your identification data by installing illegal software on your computer (spyware) or by creating a fake website (phishing). You will find more information on secure online banking at www.febelfin.be (safe online banking).

KBC Brussels therefore suggests that you regularly take a look at the KBC Brussels website for information on safe online banking: www.kbcbrussels.be/secure4u. This site always contains the most up-to-date tips and recommendations to keep you secure online.