KBC would draw your attention to the most important changes in this data protection statement of KBC Bank NV.

• Anti-money laundering legislation prohibits KBC from giving access in certain cases (added to 2.1)
• Exercise of rights by platform users (2.9.2)
• Revised chapter – legitimate interest (3.3)
• Cooperation with preferred merchants (3.3)
• Sharing personal data of legal representatives and ultimate beneficial owners through KUBE (3.3)
• KBC Language Centre (3.3)
• KBC Bank uses your personal data for direct marketing (3.5).
• Sale of personal data (3.6)

Protection of your data is very important to us. Our aim is to process your personal data in a manner that is lawful, appropriate and transparent. In this data protection statement, we explain which of your personal data we collect from you as a natural person and then process.

We define multiple categories of persons whose personal data we collect and process:

• KBC customers who have a contractual bank and/or insurance relationship with KBC, such as an account or an insurance policy;
• Platform users who have no customer relationship with KBC but use KBC Additional Services in the KBC Mobile app;
• Prospects who have no customer relationship with KBC and may not be platform users either, but who have ties with KBC, for example as data subjects or payees;
• Owners of one or more properties in Belgium. -
  

We recommend that you read this information carefully, so that you know the purposes for which KBC may use your data. This data protection statement also contains more information about your data protection rights and how you can exercise them.

KBC Bank may make changes to this data protection statement. The most recent version is always available at www.kbc.be/privacy. KBC Bank will notify you of every all-important change to the content via its websites, Bolero Online, the KBC Mobile app, KBC Touch, the Bolero App or other communication channels. We also recommend that you read the KBC cookie policy when you use one of KBC’s digital solutions, such as the KBC website or an application. It explains what cookies are, which ones KBC uses, how you change your cookie preferences and how KBC protects your privacy. The cookie policy can always be found in the digital solution itself. For example, you can consult the cookie policy for the KBC website at www.kbc.be, at the bottom of the web page.

KBC Bank NV is a bank with operations in Belgium and a number of other countries worldwide. KBC Bank NV’s head office is at Havenlaan 2, 1080 Brussels. KBC Bank is part of the KBC group (also ‘KBC’ in the following), which is an integrated bank-insurance group, i.e. KBC is a group of companies that, through close cooperation, create and distribute banking, investment and insurance products and provide financial services).

The KBC group principally focuses on retail customers, SMEs and high net worth customers, and mainly operates in Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland. Aside from that, the KBC group also operates via companies and establishments in a selection of countries within and outside the European Economic Area (EEA). KBC Bank has legal branches in various places including Germany, The Netherlands, France, Ireland and Italy. For example, outside the European Union, this concerns countries or cities such as the United Kingdom, the United States, China, Singapore and Hong Kong. These may have their own data protection statement, which differs from this data protection statement. KBC also cooperates with parties outside the European Economic Area; more information is provided in 5.2.4.

Members of the KBC group in Belgium include KBC Group NV, KBC Bank NV, CBC Banque SA, KBC Insurance NV, KBC Asset Management NV, KBC Securities NV, KBC Autolease NV and KBC Lease Belgium NV. A few Belgian companies in the KBC group, such as Groep VAB NV and Omnia NV, do not use the letters KBC in their name. More information on the activities of KBC Bank and the KBC group is available at www.kbc.be.

KBC Bank NV is the controller of personal data in the context contemplated in this data protection statement.

Aside from that, KBC Bank also processes personal data on behalf of other KBC group entities, such as where KBC Bank acts as an intermediary for KBC Insurance or KBC Asset Management. In cases such as those, KBC Bank processes the data of customers, insured persons and beneficiaries under insurance policies and under employee profit-sharing bonus programmes of those other KBC group entities. In so doing, it follows instructions issued by that other KBC group entity.

If there are good reasons for doing so, such as those listed in Part 3, KBC may also make data available to other KBC entities, whether in Belgium or elsewhere. Or it can process this data if it has been collected lawfully from another KBC entity (in Belgium or elsewhere). Obviously, this is only possible provided there is no legal impediment, such as a confidentiality obligation or a provision of the data protection legislation. Information exchanges concern personal data as well as information on legal persons, such as for the reasons listed in Part 3. The practice of exchanging information on legal persons is particularly justified by KBC’s desire to provide the support services it does in an efficient manner, mainly because its doing so means that each KBC group entity has the same overview of the customer relationship, complete to the same extent, and that they are all able to issue messages of a commercial nature explaining the KBC group’s financial services and products.

You have a lot of rights when KBC processes your data. When KBC Bank asks your consent for processing, you may subsequently withdraw that consent again whenever you see fit.

If you want to access the data concerning you that is processed by KBC, let us know. Some data can be accessed directly by you, such as in the KBC Mobile app, KBC Touch, Bolero Online or the Bolero App.

If you exercise your right of access, KBC will give you as complete a list as possible of your data. It can happen that some personal data from files such as the usual back-up files, logs and stored/archived records is not included in that list. Such data is not within scope of the data processed on an ongoing basis and is therefore not immediately available. For that reason, it will also not be communicated to you. However, it is removed from those files in accordance with standard data maintenance procedures.

In certain cases, anti-money laundering legislation prohibits KBC from giving you access to the personal data about you that KBC processes. For example, KBC cannot give you access to an anti-money laundering investigation. The law prohibits this, because the release of such information could compromise the investigation. In such cases, you may request further information by e-mailing dataprotection@kbc.be.

It can happen that certain information held on you by KBC Bank is not (or is no longer) correct. You can ask for the data to be corrected or completed at any time.

Customers of Bolero services can change certain details themselves by navigating to the settings menu in Bolero Online and the Bolero App, as well as managing their communication preferences.

You can ask KBC Bank to erase your personal data. If KBC no longer has an overriding ground for processing your personal data, KBC will erase it. Statutory duties can preclude erasure.

If you disagree with how KBC Bank invokes its legitimate interests to process certain data, you can object to such use. We will heed objections unless there are overriding grounds not to do so, such as when we process data with a view to combating fraud.

Below, you will find the main groups of personal data processing operations based on the legitimate interest to which you can object:

You are free to object to any specific processing of personal data at any time. If you do not specify the reasons for your objection, KBC will interpret your query broadly

It is possible that you don’t want KBC to process your personal data at all in order to send you direct marketing. KBC respects that. An ordinary request is enough to exercise your right to object to direct marketing of financial and/or non-financial products. Simply send an e-mail to mypersonaldata@kbc.be, drop by your KBC Bank branch or your KBC agent or contact our KBC Live team. KBC will also ask platform users to state their mobile phone number registered with KBC.

But even if you exercise your right to object to direct marketing, you might still see an advertising message on a digital solution by KBC or through another channel. This may be a general advertising message, for which KBC does not process customers’ personal data, or a personalised advertising message for which we only process your cookie data. If you don’t want the latter, you can withdraw your consent to the collection of these cookie data and them being used for sending customised commercial messages. You can find out how to do this in our cookie policy.

Some data processing operations and processes are fully automated, without any human intervention. In some cases, such a decision can have quite a substantial impact on you, for example in the event of a credit decision or underwriting.

In that case, in its own applications KBC will inform you on the screens or in the terms of use that it concerns an automatically generated decision before asking for your personal data. KBC Bank discloses the logic of this automatically generated decision and its consequences at the moment of processing via a link to the annex to this data protection statement – ‘Automatically generated decisions’.

In addition to and within these product- and service-related decisions, KBC can also use an automated process to make decisions, linked to your history, to prevent fraud and other general risks. KBC Bank discloses the logic of this automatically generated decision and its consequences in the ‘Automatically generated decision’ Annex,

which is available at www.kbc.be/privacy.

If you are dissatisfied with the result of such a fully automated decision, you can contact KBC Bank via KBC Live or any KBC branch. You can, for example, ask a KBC staff member to intervene or tell them why you disagree with the decision and request to view the decision taken.

Automated decision-making is often based on an underlying customer profile.

In certain cases, KBC calculates these profiles for all customers in advance. You may exercise your right to object to this profiling (see Chapter 3.3 for more information about customer profiles).

In other cases, KBC will calculate this profile at the time it decides to execute a contract or to have it entered into. As, in that case, the profiling follows from the contract you wish to conclude, you do not have the right to object.

You are entitled to ask KBC for personal data that you yourself have provided to KBC with your consent or in the process of performing a contract to be transferred back to you or to a third party.

The legislation imposes a number of restrictions on exercise of this right, so that it is not applicable to all data.

In some cases, you may ask KBC to restrict processing of your personal data. Exercise of this right is conditional. You can exercise your right to restricted processing:

• during the period needed by KBC to verify the accuracy of your personal data if you challenge the accuracy of personal data concerning you that KBC processes;
• where processing is unlawful but you do not want the personal data erased;
• when KBC no longer has a purpose for processing the personal data but still needs it in connection with a legal claim;
• pending KBC’s reply to whether KBC’s legitimate interest weighs more importantly than yours when you have exercised your right to object to processing for which KBC invokes its legitimate interest as legal cause.
  

Depending on the type of customer you are (see Part 1), you can exercise your rights in various ways.

Be as specific as possible when you exercise your rights. KBC Bank can only properly answer queries couched in sufficient detail. KBC Bank will need to be able to verify your identity in case someone else tries to exercise your rights. KBC may therefore ask for a copy of your identity card when you make such a request. If you are a platform user, KBC will also ask you for your mobile phone number registered with KBC.

For further questions or comments, you can go to your KBC branch, your KBC Insurance agent or e-mail them to mypersonaldata@kbc.be. This is your first resort for all enquiries regarding data protection.

You can consult, amend or terminate the use of certain data yourself via KBC Touch, the KBC Mobile app, Bolero Online, the Business Dashboard, KBC 4 Business or a branch ATM.

If you have a complaint about the exercise of your rights, KBC Complaints Management will be happy to look into it.

• Send a letter to KBC Complaints Management, Brusselsesteenweg 100, 3000 Leuven, or e-mail to complaints@kbc.be.
• Alternatively, use one of KBC’s electronic channels (including the KBC website, KBC Touch, Bolero Online and the Bolero App)

If you cannot obtain adequate resolution of the matter by the above routes, you can contact the Data Protection Officer at KBC Bank by writing a letter to KBC Bank NV, Group Data Protection Unit (Group Compliance), Havenlaan 2, 1080 Brussels, or e-mailing dataprotection@kbc.be.

If you would like more information or if you do not agree with the standpoint adopted by KBC Bank, be sure to visit the website of the Belgian Data Protection Authority at www.gegevensbeschermingsautoriteit.be. You can also lodge complaints there.

In some cases, you can also exercise your rights directly against third parties. That applies, for instance, to the databases that the National Bank of Belgium (www.nbb.be) maintains, such as its Central Individual Credit Register, its Central Corporate Credit Register and the NBB Central Point of Contact.

You can also exercise your rights if you are a platform user, prospect or property owner. To do so, please send an e-mail to mypersonaldata@kbc.be, stating your name, the telephone number you used to register in the application and, if applicable, the e-mail address.

If you have a complaint about the exercise of your rights, KBC Complaints Management will be happy to look into it.

• Send a letter to KBC Complaints Management, Brusselsesteenweg 100, 3000 Leuven, or e-mail to complaints@kbc.be.
• Alternatively, use one of KBC’s electronic channels (including the KBC website, KBC Touch, Bolero Online and the Bolero App).

If you cannot obtain adequate resolution of the matter by the above routes, you can contact the ‘Data Protection Officer’ at KBC Bank by writing a letter to KBC Bank NV, Group Data Protection Unit (Group Compliance), Havenlaan 2, 1080 Brussels, or e-mailing www.dataprotectionauthority.be. You can also lodge complaints there.

These reasons have been grouped according to the applicable legal basis

Mandatory reporting to the National Bank of Belgium

• Financial institutions are required by law to share certain information relating to their customers and proxy holders with the Central Point of Contact of the National Bank of Belgium, de Berlaimontlaan 14, 1000 Brussels, Belgium (www.nbb.be). Consequently, KBC is required to share information regarding its customers’ and proxy holders’ identities and their financial contracts, including information relating to:
  • the opening and closing of accounts, and powers of attorney for those accounts, including the date and the account number;
  • cash transactions;
  • the conclusion and termination of financial contracts and the applicable dates, such as: contracts for safe-deposit box rental, specific investment services, loans, including mortgage loans, repayment loans and open-ended credit facilities.
• If any information registered with the Central Point of Contact by KBC is incorrect, you can request that it be corrected or removed.
• The Central Point of Contact registers the information and keeps it for a period of ten years for tax investigation, verification and collection of certain receipts, investigation of criminal offences, to combat money laundering and the funding of terrorist activities and major crimes, solvency investigation in the event of the collection of confiscated amounts, data collection by intelligence and security services, bailiffs in the event of attachment, and notarial searches related to tax returns for estates. Access to the information held by the Central Point of Contact is regulated by law. The National Bank of Belgium keeps a list of all requests to access information held by the Central Point of Contact for a period of two calendar years.
• You will find all of the details regarding the Central Point of Contact for accounts and financial contracts in the Act of 8 July 2018, and in Section 322, Subsection 3 of the 1992 Income Tax Code and its implementing decrees.

Anti-Money Laundering Act and preventing the financing of terrorist activities

• Banks must deploy all possible means to prevent, uncover and/or report instances of money laundering and financing of terrorism to the authorities. This is a matter of considerable public interest. KBC Bank must therefore take the necessary steps for this, at both central and local levels. For example, KBC has to gather data on customers and groups of customers or issue risk alerts.
• Specifically, KBC has to:
  • identify you as a customer, representative or ultimate beneficial owner;
    
  • verify your identity;
  • determine your profile (in relation to the risk of money laundering), which involves collating various personal and business data, such as whether you’re a politically exposed person;
  • check your actions and transactions and prevent certain transactions and report them to the Financial Intelligence Processing Unit.
• In doing so, KBC Bank uses details given to it by you yourself plus data that can come from other channels (like Thomson Reuters World-Check, Graydon, Dun & Bradstreet, Swift, Internet search engines, social media, the Internet).
• For example, KBC Bank has to be in possession of a recent copy of your identity card. KBC will therefore scan in your digital identity card (e-ID) as a matter of course, for example if you register at a KBC ATM with your e-ID and PIN or if you use your eID to confirm changes to your address or contact details as held by KBC Bank. KBC Bank is conscious to only store the information it downloads from your e-ID card that it is required to hold by law (that is, the money-laundering legislation, which includes the Act of 18 September 2017 and the 4th Anti-money-laundering Directive (EU Directive 2015/849)).

Sanctions rules

• In the context of the part they play in fighting terrorism and their obligations under sanctions rules, banks are required to screen customer details against sanctions lists. Transactions are also monitored. In some cases, underlying documents are requested and payments may be held back (see the sanctions legislation as well as EU Regulations 2580/2001 and 881/2002). Here, too, KBC Bank uses outside sources such as the Thomson Reuters World-Check.

Prevention of market abuse and conflicts of interest

• Banks are also required (including at group level) to prevent, uncover and report improper use of insider dealing and market manipulation and to notify suspect dealings to the authorities (see inter alia Articles 16 and 17 of the Market Abuse Regulation of 16 April 2014).
• KBC may, directly or indirectly, provide loans, credit facilities or secondary guarantees and insurance contracts to the members of the Board of Directors and persons associated with them, to the members of the Executive Committee and the persons associated with them, and to associated companies. This must be carried out in line with market conditions. KBC has decided to register the identification details of these parties in the persons database so that these parties are recognisable in the systems. In this way, KBC manages to comply with the relevant legislation.

Mandatory use of personal data in banking services

• Banks are responsible for recording transactions in their books of account (required under the accountancy legislation, including the Royal Decrees of 23 September 1992).
• For payment transactions, banks have to pass on details of the originator or payee to the receiving or transferring institution regardless of where it is established (e.g., Section 3 of part VII of the Economic Law Code plus its implementing decrees).
• Banks have to consult certain databases for given types of credit (including current account overdrafts) or to enter information in those databases about the terms and conditions of the relevant agreements and the extent to which they’re complied with. For example, they may:
  • determine your borrowing options and repayment capacity, or make it possible for other institutions to do so;
  • perform risk management;
  • allow the National Bank of Belgium to perform scientific and statistical research and to do the work devolved upon it by law.
• As a rule, KBC Bank refers to the Central Individual Credit Register for all grants of consumer credit. The Central Corporate Credit Register keeps the data available for viewing for one year following the calendar month it relates to (under the lending statutes including the consumer credit and mortgage security acts and the Central Individual Credit Register (Chapters 1, 2 and 3 of Section 4 of Part VII of the Economic Law Code), the secondary Central Individual Credit Register legislation (Royal Decree of 7 July 2002), the Act on the Central Corporate Credit Register of 4 March 2012 and the secondary Central Corporate Credit Register legislation (Royal Decree of 15 June 2012).
• MiFID II (the Second European Markets in Financial Instruments Directive) requires banks to allocate their customers to certain categories. Natural persons automatically qualify as non-business customers (or retail customers), although they can require reallocation as business customers in particular cases. Banks rendering investment advice are required to collect information appropriate to the relevant customer type on the customers’ knowledge and experience, financial resilience, investment objectives, and attitude towards risk and return in connection with products offered to them (see the provisions transposing MiFID II, including the Act of 2 August 2002 and the Royal Decree of 3 June 2007). In addition, under MiFID II banks have to examine whether customers form a certain product’s ‘target market’. Banks whose offering is limited to ‘execution only’ services such as the Bolero platform, also have to collate information according to customer category, which will mainly relate to the customer’s financial knowledge and experience.
• Banks also have responsibility for identifying account holders and the beneficial owners of accounts, safe-deposit boxes or insurance products in the context of reviving dormant accounts, safe-deposit boxes and insurance products (see the Act of 24 July 2008 and the website at MyMinfin) to find out more).
• As provided by law (PSD2), KBC as bank is obliged to provide access to the balance and transaction information of its customers’ payment accounts, insofar as the customer has installed an online app. This access is only granted to third parties that are authorised to operate in Belgium (including other banks) and based on the consent granted to these third parties by the customer. KBC does not have the right to verify the validity of the consent granted to such third parties.

Carrying out the Compliance function

• KBC can use personal data for the purposes of checks, investigations and opinions in areas subject to compliance considerations (such as prevention of money laundering and fraud, investor and consumer protection and data protection).

Other risk monitoring

• Banks are responsible for appropriately controlling risks (including at group level). They are required to detect, prevent, mitigate and address risks. Examples include credit, insurance, counterparty and market risk, risks concerning information management and statutory compliance, the risk of staff, customer and/or supplier fraud, the risk of unethical behaviour by staff or breaches by them of their duties of care. Risk management has to be ensured at both central level (gathering data on customers and groups of customers) and local level (e.g., circulating risk alerts). In this context, all forms of risk profile are moreover stipulated (see the provisions governing credit institutions, inter alia the Credit and Stockbroking Institutions (Status and Regulation) Act of 25 April 2014 and the Insurers and Reinsurers (Status and Regulation) Act of 13 March 2016).
• Mandatory disclosure and reporting to the authorities
• Banks also have to respond appropriately when you exercise your rights under the data protection legislation: they are also required to answer questions from the Data Protection Authority, such as if a complaint is made.
• Banks have reporting duties and need to respond to questions to and from the authorities and bodies with supervisory duties relative to financial institutions such as the Financial Services and Markets Authority (www.fsma.be), the National Bank of Belgium www.nbb.be and the European Central Bank (‘ECB’ – in the context of certain of its oversight functions, including the Credit and Stockbroking Institutions (Status and Regulation) Act of 25 April 2014 as well as the Act of 2 August 2002 (AnaCredit reporting)).
• Upon a customer’s death, the tax legislation contained within the Inheritance Tax Code requires banks to file an official list of the deceased’s assets with the authorities (such as the Inheritance Tax Code).
• Banks have to respond to queries from the tax authorities or may need to voluntarily exchange information for the purposes of tax law (the Income Tax Code, the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS)).
• Banks also have to respond to enquiries put to them by the courts administration (covering law enforcement right from the police, through investigating judges and prosecutors to trial courts) and especially concerning matters falling under the police statutes and court procedure in general (whether civil (Judicial Code) or penal (Criminal Investigation Code).
  

Financial services

Before KBC Bank concludes a contract for a financial or banking product, it may be necessary for certain information to be processed in order to deal with the application and assess properly whether the contract can be concluded and, if so, under what terms and conditions. An example is information collated and processed when a credit application is received (whether it is secured by a primary or secondary guarantee makes no difference here).

KBC offers its services through various channels, directly in the KBC branches, via KBC Live or in the KBC apps, as well as through intermediaries.

As a customer of KBC Bank, you use various services and your doing so renders administrative and accounting processes incumbent on KBC Bank. Examples of processing for the performance of contracts include the administration of accounts, payments, deposits, lending, credit monitoring, monitoring security arrangements, safe-deposit box rental, custody, financial instrument transactions, investment advice or wealth management paying due regard to your investment profile, selling insurance and brokering financial leases.

When you perform a payment transaction, KBC Bank passes the payee information on the transaction’s progress (e.g., general information on why the payment is not passing via a direct debit).

KBC processes the personal data of representatives of legal persons in order to authenticate and communicate with the legal persons and to exercise the company powers for KBC services and products. Security Deposit Savings Accounts can be set up on the KBC website by the tenant or the landlord: the facility is open to both, but the tenant, who becomes the holder of the Security Deposit Savings Account, is the bank’s customer. And the tenant’s personal data, like every other customer’s, get processed by KBC. The landlord, on the other hand need not necessarily be a customer of the bank’s. But because we have to be able to identify them and the subjects of let in respect of which the escrow is bailed, we also process certain necessary personal data of the landlord.

To be able to give investment advice that’s more personal to you, KBC Bank combines the information in your investment profile with certain other details (such as your age and your investment horizon) to gauge your attitude to losses you might incur.

KBC Bank engages in bank-insurance business and therefore works closely together with KBC Insurance. To facilitate this, KBC Bank and KBC Insurance have a large sales network of bank branches and insurance agencies. To provide you with good service, it is important for us to share information within the organization and to group that information together in the hands of (central) relationship managers. KBC wants to make investment advice accessible to a wide public, which includes the use of digital channels. In order to do so efficiently and effectively, KBC calculates behavioural forecasting MiFID customer profiles based on historically available personal data such as transaction data, combined with personal characteristics. KBC calculates the customer profiles specifically for the department where the associated administrative and accounting processes are executed.

KBC Deals offered in the KBC Mobile app

As a customer, you can use the ‘KBC Deals’ service in order to obtain discounts from KBC’s commercial partners in the form of a cashback on your KBC Current Account. The Deals offered are temporary and change on a regular basis. The KBC Deals are personalised discounts, which means that KBC needs some data from you (e.g., transaction details, address, etc.) to offer you this service. KBC also provides the commercial partner with a number of criteria allowing the partner to define the target audience of their Deal more accurately. For instance, the commercial partner can determine whether or not they want to limit their deal to customers who have made purchases with them in the past 3, 6 or 9 months or to customers who live or make purchases in a specific region. In the future, KBC will increase the number of criteria that the partner can rely on. KBC views the customer’s personal data to be able to provide those criteria. For some of the criteria, KBC also views the transaction data. KBC also needs your transaction data to determine whether KBC still needs to pay out cashback(s) to you and, if so, which one(s). For more information, please read the KBC Deals terms of use.

Additional services offered in the KBC Mobile app

• KBC’s own non-financial products and services

In the KBC Mobile app, KBC Bank offers its customers a few of its own non-financial products and services outside the general fields of banking and insurance, which may also be available to platform users, e.g., Goal alert, Digital Safe, Digital My Real Estate Dashboard and Joyn loyalty cards. KBC Bank processes personal data to provide these services and, if the service functionality so requires, personal profiles calculated for that purpose.

• Partners’ non-financial products and services

In the KBC Mobile app, KBC Bank offers its customers non-financial products and services of partners outside the general fields of banking and insurance. KBC provides the third party with the personal data required to provide those products and services, and ensures secure payment. This information is also available in the KBC Mobile app.

Through the KBC Mobile app, KBC also wants to give you access to your personal government documents that can be consulted electronically in My e-Box. The condition is that you link your My e-Box account to the KBC Mobile app. Only you get to see the documents. KBC cannot see or process the content of the documents. If a new document becomes available for you, you will be notified.

To enable such apps to function properly, KBC exchanges personal data with the partner company, whereby KBC is generally the data controller for its own environment (for the payment or, for example, pre-filling of your details) and responsible for the transfer of customer data to the third party. The partner company is the data controller in the context of the service to be provided (such as issuing your ticket). KBC also develops specific applications for business owners, such as invoice collection in conjunction with Go Solid NV. In the KBC Business Dashboard, an online application for businesses, KBC makes the services of third parties available. You can log in to your account with companies that provide specialised services for businesses, such as BrightAnalytics BVBA, Cashforce NV and Soluz.io NV. In order for you to log in securely, KBC exchanges identification information with these companies (surname, first name and your identification number with KBC or a specific identification code), subject to your consent.

In those cases, the third party is the data controller. To make those services by those third parties available, KBC also acts as processor for that third party as data controller.

You must contact those third parties for more information on the protection of your personal data and to exercise your privacy rights.

Payment services remain the core of the KBC Mobile app. KBC integrates the Payconiq by Bancontact app in the Mobile app. Without a bank card or cash you can easily buy something or transfer money to an acquaintance. For the latter, it suffices to select your contacts from your contact list on your phone. KBC asks your consent to view that contact list and shares your selected contacts’ mobile phone numbers with Payconiq, under the responsibility of Payconiq, in order to make the payment possible.

• Partners’ non-financial products and services for platform users

Even if you are a platform user, you may use some of the services described above in the KBC Mobile app. In order to be able to offer you the services, KBC needs some information from you (e.g., mobile phone number, e-mail address, date of birth). KBC keeps your personal data in order to be able to provide the service and to simplify the purchase of such services in the future. In order to avoid your having to fill in these data over and over again, KBC will keep your data for a limited period of time. If you do not use the services for a certain period of time, KBC will delete your data. You may always remove your data yourself by deleting your profile in the KBC Mobile app.

Ask Kate for help

Kate, the personal digital assistant, is a service within the KBC Mobile app.
The Regulations for the KBC Mobile app specify what you can expect from Kate and how the assistant works.
There is a standard and a proactive version of Kate. If Kate is unable to assist you further, she can refer you to KBC Live.

Standard version of Kate

Kate is a standard part of the KBC Mobile app. You decide how to use the service. You can ask Kate simple questions by speaking or typing them in the chat function about banking and insurance matters and about other products, services and applications offered by KBC. To answer your questions, Kate uses the necessary, limited personal data. If you don’t ask Kate anything, no personal data will be processed for the digital assistant. Answering some questions might require a more comprehensive analysis of personal data. This will only occur if you opt for the proactive version of Kate.

Proactive version of Kate

If you activate the special terms and conditions for Kate, you can opt for the proactive version. This advanced digital assistant can also take the initiative to support you in a personalised way and send you messages about products, services and applications offered by KBC if you use other KBC applications for which Kate has been activated.

To allow assistance to be provided and hence to be able to anticipate your behaviour, wishes, risks and needs, Kate analyses the current and past information KBC has on you – personal data or information regarding you in your capacity as legal representative – and your family, such as transaction details, your use of the products, services and applications offered by KBC as well as insights gained through market analysis, general customer behaviour analysis and general analysis of the use of KBC products and services. Kate will apply these analyses to your specific individual or family situation (profiling) in order then to be able to offer personalised service.

To deliver the services of the standard version of Kate, KBC will process your personal data based on the contract for use of the KBC Mobile app. To support the proactive version of Kate, KBC will base itself on the special terms and conditions for Kate, which also form part of the contract for using the KBC Mobile app and which you can activate separately. You can deactivate the proactive version of Kate at any time without affecting the functioning of the KBC Mobile app. You will then retain the standard version of Kate. KBC can also communicate with you separately from the Kate terms and conditions. In that case, personal data will only be processed if KBC has another valid legal basis for doing so. This processing may be based on consent or on a legitimate interest (see points 3.3. and 3.4).

Expense management for business owners

The KBC Mobile app or Touch provides the holder of a KBC Company Account with the ‘send expenses’ service (when activated), which gives you an overview of suspected expenses on the account based on your transaction data.

Expense management for private individuals

The KBC Mobile app or Touch provides the holder of a KBC Basic or Plus Account with additional clarifying information, such as the location where you effected a transaction and the merchant’s trading name and logo, to help you understand the context of the transaction.

In addition to compliance with statutory duties, the performance of a contract and consent, KBC Bank and the KBC group as commercial undertakings have certain ulterior legitimate interests on the basis of which they process personal data. These are inspired by the need to function as a business and to enable new initiatives to be developed and offered to customers. In that regard, KBC ensures that the impact on your privacy is kept to a minimum and that, in all events, KBC’s legitimate interests remain proportionate to the impact that upholding them has on your privacy. Nonetheless, if you harbour an objection to this use being made of your data, you may exercise your right to object. KBC will respect your objections unless KBC has compelling reasons for not doing so.

And so it is that KBC processes personal data in various situations:

Risk management, security and measures to prevent fraud

Identification and prevention of major risks, such as the risk of fraud, cyber and credit risks, based on in-depth data analysis

• KBC Bank uses your personal data, including transaction data to conduct studies, create models and generate statistics for various purposes: regulatory reporting, more effective internal control, fraud analysis and combating fraud, risk analysis, security and other non-commercial purposes. To this end, KBC is setting up an entirely new data warehouse that permits reporting without processing unnecessary personal data.
• KBC develops risk signals. Your behaviour influences the risk signals. If KBC detects from internal or external sources that you are in arrears with the repayment of a credit, you are misusing your payment or credit card, you are part of a collective debt repayment scheme, you gamble heavily, you are involved in a fraud case or a money laundering case, you are providing your cooperation to terrorism, weapons or human trafficking, etc., this will be identified as a risk signal, which may have considerable consequences. A result may be that KBC won’t give you credit or that a local branch cannot decide on a credit, that an employee must consult the compliance department before dealing with you, that KBC doesn’t want to do business with you or decides to terminate the relationship.
• KBC can use your personal data to prevent, detect and investigate fiscal fraud in conjunction with (Belgian) payment systems and providers of other payment services.
• Data processing may be carried out in order to guarantee the safety, security and monitoring of persons and goods.
• Personal data, including biometric data can be used for various purposes, including to detect and put a stop to fraud and cyber risks.
• KBC shares the personal data (including subsequent updates) of the legal representatives and ultimate beneficial owners of any company that is a KBC customer with other banks where that company is a customer or wants to become a customer. Subject to the same conditions, KBC can also receive personal data about the legal representatives and ultimate beneficial owners from other banks. The purpose of this exchange is for every bank to have the most up-to-date KYC data of its customers. This is how KBC Bank contributes to the fight against fraud and money laundering. Moreover, it may simplify and accelerate the customer onboarding process for both the company and the bank. KBC Bank cooperates with Isabel and other associated Belgian banks in this regard.

Use of personal data for the KBC organisation

Use of personal data for internal and regulatory reporting and internal control, and to defend rights and communicate as a company

• KBC may utilise personal data for the administration, management (including risk management) and oversight of the KBC group’s organisation, such as the legal department (including dispute management and legal risks), risk management (such as general credit risk and insurance risk calculations vis-à-vis customers and groups of customers worldwide), risk functions (e.g., Compliance, for all duties not strictly required by law but that are in fact necessary or useful) and inspections, complaints management, and internal and external audit. We retain personal data for possible future evidential use. Storage may be entrusted to outside third parties.
• KBC may utilise personal data to support and simplify the processes of customers beginning to use, using and ceasing to use products and services, including avoiding resubmitting information you’ve already submitted. To avoid your having to go through an entire ID verification process if you want to become a customer elsewhere in the KBC group. Thus, KBC Bank may pass on details of your identity to other companies in the KBC group in order to speed up their process of verifying your identity
• KBC may also utilise personal data for determining, exercising, defending and preserving the rights of KBC Bank or persons whom it might represent (e.g., in disputes).
• KBC can use your personal data to create synergy, increase efficiency and produce other benefits for its organisation and processes.
• KBC can collate personal data held by KBC entities and use it in, or in support of, the implementation of worldwide group-level centralised, coordinated, efficient management of customers and customer groups.
• KBC processes personal data for internal reports and reports required by the authorities, for risk management, for the organisation of internal controls, but also to defend KBC’s rights and to communicate as a company.
• KBC may also collate personal data that KBC entities have at their disposal for creating segments (such as private individuals, businesses and private banking).
• KBC cooperates with preferred third-party service providers for its range of banking and insurance products (see 3.2). To be able to screen and later contact possible future merchants, KBC collects identification and contact details of these potential trading partners. The data may have been communicated to KBC in response to a business event or published on social media or be publicly available.
• KBC keeps the contact details of journalists obtained directly or indirectly, so that KBC can contact them at the appropriate time. For example, to contact the press in case of news updates.
• KBC is an international organisation that works and communicates in Belgium’s national languages, English and various other languages. Translations are essential in that regard. Many of the source texts and translated texts contain personal data. Modern language departments increasingly work on the basis of machine translation. The databases feeding the machines may also contain personal data. KBC retains them for a maximum of five years.
• KBC wants to offer its customers a personalised customer experience, irrespective of the channel the customer has selected (branch, KBC Live, KBC Mobile app, Kate). Information you share with a staff member may be stored in the customer relationship management system for retrieval at a later date or in another channel.

Linked to the provision of certain services

Personal data is processed to support ICT systems and software, improve processes, coach staff and improve services

• When apps are being developed, tests need to be carried out using personal data, including the final acceptance test before an app is put into production. Where necessary, this may be done in conjunction with third parties appointed by KBC.
• If KBC investigates issues in applications, it may process personal data for that purpose.
• Incident management solves issues at customer level. When IT systems’ integrity has been compromised, KBC can resolve issues by recreating missing factors, as part of which KBC processes personal data.
• KBC may use personal data in evaluating, simplifying, testing or improving its processes, digital applications and standard-form documentation and to optimise promotional campaigns, simulation exercises and online sales, such as by using information from cookies (e.g., preference settings and browsing behaviour on our website) to follow up on a simulation left uncompleted, statistics or a satisfaction survey.
• KBC uses services provided by third parties (infrastructure management) that monitor, investigate and, where necessary, restore the performance of KBC infrastructure and software. During these processes, personal data may temporarily be visualised as a technical object. KBC concludes contracts by way of security and provides for technical security both internally and externally to minimise the processing of personal data and maximise security.
• KBC records telephone conversations for purposes related to training and coaching its staff and improving the quality, security and oversight of processes, for brief periods of six months.
• The dealings of KBC’s ‘Corporate Mergers & Acquisitions’ team (M&A) extend over all and any types of KBC products and services. It is possible that, in the process of acquiring or disposing of some part of its business or another, KBC might exchange personal data with companies in the KBC group and third parties.
• Even though there might be no legal obligation to verify the Central Individual Credit Register, KBC always does so when lending to consumers.
• KBC processes personal data, including transaction data in order to gauge your knowledge and experience in relation to investments with a view to protecting investors (MiFID).

Developing models for customer comfort and for marketing purposes

Support of commercial activities based on in-depth data analysis

• Insight gained from analytical models allows KBC to build customer profiles. KBC then adjusts the model both to you as an individual or at the level of your family and may also, exceptionally, apply it to another person for the following purposes:
  • Combining data from different KBC group companies in these analytical models makes it possible to gain data-driven insights that underpin strategic choices that the KBC group makes and helps it develop commercial policy; and
  • Developing the commercial policy, taking into account customers’ behaviour and wishes.

Profiling for marketing purposes

Use of data for personalised commercial messages about KBC products and services

• Creation of profiles to personalise and send direct marketing communications. KBC Bank uses them to offer customers KBC’s and KBC partners’ products and services (see 3.6) or to determine the commercial policy for a particular customer.

Ensuring the best possible customer experience

• Customisation of product and service offers by both itself and third parties.
• KBC uses personal data to send you messages relating to services you’ve requested from KBC or from a third party through the KBC Mobile app, for instance to improve their user-friendliness. You can disable these messages in the KBC Mobile app (under Profile/Notifications).
• When you fill in a KBC Bank form, we naturally process the data needed to administer the process that you completed it for. That means the information you enter to perform a simulation may be stored in the meantime, saving you having to enter it again if you interrupt the process or want to start again later.
• If you started a simulation or sales process but stopped before completing it, we may contact you to see what went wrong and whether we can help; i.e., technical and administrative support for that specific process.
• KBC can use your ‘being a customer’ to determine the preferred channel (branch, KBC Live, the KBC Mobile app, etc.) that it will use to get in touch with you. You can of course still choose how you want to contact KBC.
• KBC may text you to confirm an appointment or remind you that you’ve missed an insurance policy renewal or a loan repayment or that your account is insufficiently funded for a payment order to be executed. You can switch these notifications off in the menu for managing your text message settings.
• KBC Bank uses your transaction data to:
  • provide a categorised overview of your income and expenses via some digital KBC channels, so that you can better monitor your income and expenses;
  • give you specific and practical insights. These insights may draw your attention to things that we assume you should take a look at, such as unexpected behaviour on your current account or in your expenses, or an expectation that your account is insufficiently funded. These insights can be consulted in the digital channels KBC Touch in the ‘Income and expenditure’ section or in the KBC Mobile app in the ‘Insights’ section and in the payment transaction overview.

You can object to this data processing by disabling these features in the respective KBC channel.

• Communication via the KBC Mobile app’s overview page
• In the case of customised service in digital assistant Kate, profiling occurs based on the contract that the customer has signed with KBC to this end (see 3.2).
• Digitisation of KBC services and products to improve their accessibility and user-friendliness with additional personalised information.
• KBC processes customer profiles to be able to send relevant messages and information.
• In the context of investment or insurance advice, information about your investor profile may be exchanged between entities of KBC Group that provide investment advice, including insurance agents, in order to avoid you having to provide the same information again in the context of an advice session, depending on the distribution channel chosen, and to ensure uniformity and consistency of the profile.

Product and service offers

Data processing needed to offer (digital) solutions and determine the relevant KBC strategy

• KBC can use your personal data to make you a better offer than at present or to give you a commercial discount. KBC calculates the commercial discount for all customers, irrespective of any specific request. To this end, KBC analyses the behaviour and a few relevant characteristics of the customer based on customer profiles.
• To be able to offer the ‘My Real Estate Dashboard’ service, KBC makes a few calculations (such as the construction area, roof surface and volume) based on the address (obtained from the Land Registry or purchased) for every property having an address in Belgium.
• To be able to respond effectively to other customers or prospects (such as when preparing simulations or tenders) and where KBC Bank makes unsolicited offers in bespoke form, it can occur that, in the form of carefully shielded underlying processes, it may look at your customer profiles. There is naturally no question of your personal data being divulged to anyone in this context.
• Creation of profiles to tailor KBC’s commercial and product strategies to customers’ behaviour and wishes.
• Preparation of internal reports on the use of processes and products by customers and platform users to evaluate and determine KBC’s commercial and product strategies. In this case, personal data is aggregated to the extent possible.

Offer of aggregated insights

• KBC Bank anonymises data identifiable as yours in order that they can be publicised, for instance when, at the ideal homes exhibition, it wants to publish statistics on the numbers of home loans applied for or granted. KBC Bank may at the same time carefully draw anonymised insight from personal data and subsequently offer that insight in the market.
• KBC may anonymise personal data and, on that basis, draw up aggregated reports containing general spending patterns, sector insights and other trends.
• KBC may offer these aggregated reports as a service or make them available free of charge to organisations based on its social role and to partners to provide insight into the purchase of their services through KBC channels. This allows these third parties to further refine their offers or strategies.
  

Mobilisation of appropriations

• If a credit claim is mobilised from a credit agreement, we may disclose the obligations and, based on legitimate interest, the necessary details of the borrower and guarantor concerned to the transferee for the management of the claim. Mobilisation of credit claims is effected, among other things, in the form of securitisation, assignment of receivables and in the context of covered bonds. The recipient guarantees the confidentiality of the data.
• KBC Bank may disclose information about the credit agreements and the way in which they are executed to:
  • all stakeholder third parties with a legitimate interest (such as the National Bank of Belgium) or third parties to whom the credit agreement may be transferred or assigned;
  • parties that can assign a rating to relevant securitisation transactions;
• improve the operation of market forces when credit agreements are converted into securities, the European Central Bank and the EU authorities impose reporting requirements. These reports are not by named individual but by contract detail (such as number of borrowers, term and due date of the credit, outstanding credit amount, payment arrears, characteristics of the mortgaged pledge). This information must be made available to investors in these financial instruments (often designated as Asset-backed securities or Residential mortgage-backed securities). You will find more on this on the website of the European Central Bank: www.ecb.int (keyword: loan-level).

Corporate customers

• KBC sends messages to its corporate customers, which may be for informational purposes. These messages may include a call to action. In order to reach these customers, KBC sends the message to the representatives designated by the company. For the calculation of the corporate customer’s profile, KBC only uses the company’s data and not the representatives’ personal data.
• KBC may also send advertising messages addressed to the company which also involve the processing of the representatives’ data. Representatives may object to this use.
  

For consenting to direct marketing, further details are given in 3.5.

KBC will request your consent to process:

• PSD2 data that you have personally added in KBC applications such as the KBC Mobile app for commercial models and profiles;
• geolocation data (unless expressly stated otherwise);
• data entered by you in a simulation or competition entry form in order to send you advertising messages;
• underlying data of a form that needs to be completed with certain information for KBC to be able to process the form, in which case KBC will generally ask you to check the data’s accuracy;
• your contact details as representative of your company when we transfer them to, for example, Cashforce;
• biometric data used for identification purposes;
• to answer questions asked by third parties, unless there is another legal basis for doing so, such as a statutory duty;
• KBC will request your explicit consent for the processing of health data. 

If you are no longer able to make your own wishes and needs known, a carefully drafted lasting power of attorney can guarantee that your personal wishes and needs are translated correctly from a lawful point of view, including in banking matters. KBC will respect that expression of your will and your appointed proxy holder. KBC may request your consent through all possible channels, such as the KBC Mobile app’s overview page, Kate or e-mail.

As a commercial enterprise, KBC Bank is keen to be able to suggest a wide range of financial and non-financial products and services to you. It may do so in response to explicit requests or where it has an idea that you might be interested in or could benefit from a given product or service.

We can reach out to you with this information in all sorts of ways: through KBC Bank branches or KBC Insurance agencies, over the Internet and in apps, in the KBC Mobile app’s overview page, by e-mail, post or telephone, via Kate and at events. In addition, the constant flow of new technologies gives KBC Bank new ways it can embrace to serve you better. KBC is at pains to ensure that information is provided in a way that’s clear and will choose the most appropriate channel to ensure the inconvenience of being disturbed is kept to a minimum.

If KBC Bank knows the age, it does not make commercial offers of its own to young persons aged under 16 unless a legal representative of theirs has consented.

If you give explicit consent to receive personalised commercial messages, KBC can make proposals tailored perfectly to your individual situation. You will no longer receive screeds of adverts that are of no interest to you. In this regard, KBC uses your entire personal data (including transaction data and information obtained from third-party sources (such as financial institutions), public sources like the official gazette, the results of discussions at your branch and other contacts). This data is collated along with details of your family and business, and so on, so that KBC is really in a position to provide you with personalised commercial messages. You can withdraw your consent at any time, just as easily as you gave it.

Your consent to receiving personalised commercial messages is valid for each of KBC Bank, KBC Insurance, KBC Asset Management, CBC Banque, KBC Securities and KBC Autolease. As regards KBC Autolease, your consent only applies to services that it provides directly to private individuals. These KBC entities are then able to share your details with one another. Such exchanges are also possible if you’re not, or you are no longer, a customer of any KBC company. This enables KBC companies to look into your situation and proactively suggest alternatives aimed at your specific situation.

The messages are provided to you by KBC directly and not by the partners with whom KBC cooperates and who are listed in 3.5.1.1 and 3.5.1.2. This ensures that data processing by these partners is limited and they only receive data about you if you personally express your interest in the information. KBC has contractual arrangements with the partners, in which they confirm that they will adhere to the data protection laws. Subject to your explicit consent, KBC may send you commercial messages about financial products and services and about non-financial products and services. KBC offers a separate choice for both. Platform users cannot opt for personalised information.

3.5.1.1 Commercial messages about financial products and services (occasionally referred to as ‘personalised information’)

Your consent applies to messages about financial products and services from KBC and from carefully selected partners that offer products or services in the general fields of banking and insurance. Those partners must at all times meet the following criteria:

• They must be a provider of financial services or an insurance company. Financial service providers include banks, credit institutions, wealth managers, funds, stockbrokers and lease companies in as far as their offering to private individuals is concerned.
• If legally required, the partner has to be licensed for the financial service or insurance that KBC is offering.
• The messages contain information on products and services from the general fields of banking and insurance such as savings products, investment funds, lending and insurance (both property cover and life insurance).
• A list of our current financial partners can be found at www.kbc.be/partners.

3.5.1.2 Commercial messages about non-financial products and services

Your consent applies to messages about non-financial products and services from KBC and from carefully selected partners with whom KBC cooperates in order to offer you their services through KBC. The messages may relate, for example but not exclusively, to the Additional Services that KBC offers in the KBC Mobile app, such as selling tickets or offering new deals in KBC Deals. The messages concern non-financial products and services outside the general fields of banking and insurance.

More information about partner services offered by KBC is available at www.kbc.be/partners. This information is updated by KBC on a regular basis.

If you do not want to receive a highly personalised offer, you should not consent to receiving personalised commercial messages. But even if you do not consent to receiving personalised commercial messages, you may occasionally still receive offers and advertising from KBC Bank (e.g., on the KBC Mobile app’s overview page or by e-mail, push notification or text message): based on its legitimate interest, KBC sends offers on the basis of a limited number of data (such as who you are and where you live, your date of birth, your marital status, your contact details, family relationships, the apps and products you use, or any lack of interest on your part in certain products).

These limited personalised commercial messages may concern:

• financial products and services from KBC Bank or KBC Insurance and KBC Asset Management;
• non-financial products and services from KBC and from carefully selected partners in, for example, the Additional Services offered in the KBC Mobile app, such as selling tickets or offering new deals in KBC Deals. Learn more about the partners at www.kbc.be/partners.

You can object to direct marketing for both financial and non-financial commercial messages.

Aside from this, KBC may send you offers based on your usage patterns on its websites and apps, albeit only if you agree to the use of cookies. The cookie consent determines which offer KBC can send you.

In order to be able to send you the appropriate message through the correct channel, KBC may also call on other service providers. For this, KBC may cooperate with communication and marketing agencies, and similar companies such as social media players (e.g., Google, Facebook, Instagram, WhatsApp). Sometimes KBC only uses information it has about you or your personal profile information held by them. In other cases, KBC combines those data. Depending on the type of cooperation, they may be processors or controllers (see points 5.2 and 5.3).

KBC uses personal data from platform users to conduct direct marketing campaigns (e.g., on the KBC Mobile app’s overview page or by e-mail, push notification or text message) based on a legitimate interest. This may involve the services offered through the KBC Mobile app, including KBC Deals, and payment solutions offered by KBC Bank. For this purpose, KBC processes the limited set of personal data the user registered when activating the use of the KBC platform (surname and first name, address, date of birth, mobile phone number and e-mail address). If the user agrees to the use of cookies, KBC may also send offers based on the usage patterns on its websites and in its apps. The platform user may exercise their right to object to direct marketing. The platform user might still see an advertising message, but it will be general advertising for which KBC does not process customers’ personal data.

KBC Bank does not sell or hire your personal data to third parties for their own use, unless you opt for this yourself by giving your consent or in the context of a service.

The types of data that KBC Bank processes are explained below.

KBC Bank sometimes processes information that is a matter of public record such as:

• Information subject to a reporting duty (such as a public notice of your appointment as a company director);
• Data that you have placed in the public domain yourself, such as information on your website, your blog or via your publicly accessible social media profile, information publicly available on the Internet, or information about you that KBC Bank has obtained from third parties (e.g., family members); or
• Data that is in the public domain, say, because it is common knowledge in your area or because it has appeared in the press. Information from sources such as the companies register and Graydon also fall into this category.

KBC Bank may also receive personal data via third parties, for example, but not exclusively, by buying it or obtaining it from the Belgian Land Registry (Kadaster) or from companies such as Bisnode, GIM or Graydon, business organisations, etc. that are responsible for making sure that they gather the relevant information lawfully and pass it on to KBC.

In addition, KBC receives personal data from third parties on the instructions of its customers (e.g., account information from an account held at another bank in connection with the provision of account information services).

KBC uses that publicly available data and information from third parties for all processing for all purposes set out in this data protection statement.

If KBC Bank wants to identify your location (i.e., geolocate you), KBC will always inform you accordingly and will ask for your consent where appropriate, for instance when you visit certain pages on its websites or if you use a KBC app or technology such as beacons. KBC Bank may send you a message for which your location is important. Or, if you’re at a KBC event, the background in the KBC Mobile app might be modified accordingly, for example. It’s also possible that when you enter a shop, the KBC Mobile app will draw your attention to the fact that in this shop you can pay using MobilePay.

In order to offer you this service, KBC may use a geolocation service provider, such as Google. Google has a privacy policy of its own. You can read it in detail at www.google.com/policies/privacy . We recommend that you take the time to read it. KBC Bank could also use the details of your location to build global models and perform analyses. Moreover, we are aware of what your location is on the basis of things like your IP address and your telephone’s technical readings. This information can also be important in relation to things like detecting credit card fraud and improved data protection.

When you contact KBC Bank staff at a branch or by telephone, chat or via Kate, this may be registered:

• to constitute a record of contacts between bank and customer;
• so that there is a (short) record of what was said during that contact;
• to enable bank staff to prepare ‘to do’ lists based on what was discussed during the conversation.

Even if you are not a customer, KBC Bank will store the information you provide. That information can be used if you subsequently become a customer.

In adopting this approach, KBC Bank seeks to avoid your having to constantly provide the same information or answer the same questions. It also allows KBC to improve continuity in the services provided to you.

If you contact KBC Bank by e-mail or have digital communication channels that are used by KBC Bank (e.g., KBC Touch or the KBC Mobile app), it can use these channels to send you mandatory and official notices, in which case KBC will notify you by push notification. KBC works on the assumption that correspondence sent to staff members in their capacity as KBC employees (at a branch or on its fax or to a job-linked or personal KBC e-mail address, etc.) is business-related and that KBC is entitled to read it in the context of:

• their duties;
• the production of evidence;
• workplace checks;
• security;
• fraud prevention;
• service optimisation and/or continuity, including the use of automated text analysis and editing to help KBC staff correspond with you quickly and efficiently.
  

KBC Bank may listen in to or record conversations with you, such as telephone conversations with commercial staff in the branch network or at KBC Live, contact centres and helpdesks, Private Banking branches, our inheritance experts, the Bolero Call Centre and the dealing room.

It does so for purposes related to training and coaching its staff and improving the quality, security and oversight of processes, for brief periods of six months.

However, KBC Bank may also do so as evidence of orders that are given to it. In the context of legal duties for the protection of investors (MiFID II), KBC Bank is required to record and retain telephone conversations and electronic communications that could result in investment product transactions. KBC Bank therefore records the conversations and electronic communications of staff whose work duties relate to investments. If you talk to these experts, specialists or relationship managers or communicate with them electronically, we record it. For evidential purposes and in order to comply with the legal obligations imposed further to MiFID II, KBC Bank keeps recordings for ten years. If a dispute arises, KBC will keep them for as long as it needs to defend its position. You can request a copy of this recording.

KBC attaches a great deal of importance to secure online banking. To that end, KBC set up the Cybersecurity Service Secure4u, which is available 24/7. There you can report (alleged) abuse, after which KBC will investigate the report and possibly contact you by telephone. KBC may then ask you, for example, to lodge a complaint with the police. KBC also records this telephone call for any subsequent juncture.

KBC Bank may also use automated analyses of conversations to speed up and improve its services. Telephone, video and chat conversations (e.g., using Kate), together with other communications and the emotions expressed in them, can therefore be used in the development and training of artificial intelligence. Artificial intelligence could ultimately allow written or spoken customer communication to be fully automated. Artificial intelligence can support KBC staff and increase KBC’s ease of access. The link to personal data is severed as quickly as possible when developing and training artificial intelligence.

KBC Bank may use CCTV in and around the offices and premises where it operates. In the case of security cameras, KBC Bank observes the special rules that apply. If a security camera is present, KBC informs you by means a clearly visible sticker, for instance. In addition, KBC Bank in all events adheres to the ‘besafe’ guidelines issued by the Security & Prevention General Directorate of the Federal Public Service for the Interior (www.besafe.be).

KBC generally keeps images recorded by security cameras in and around KBC Bank premises (identified with a sticker) for no more than one month. They may be kept for longer:

• if the recorded images serve as evidence of certain dealings or may depict a criminal offence or unruly behaviour;
• as evidence of damage or in order to identify an offender, trouble-maker, witness or victim;
• where a right of access is exercised, for as long as necessary to respond to the request;
• at locations that present an increased security risk, in which case the period is three months.
• If you have questions about CCTV images, you can contact the CCTV Contact Centre at Egide Walschaertsstraat 3, 2800 Mechelen, or at CCTV@kbc.be.
  

KBC offers you account information services and payment initiation services, giving KBC access to the balance and transaction information of the accounts you hold with another bank. This is subject to the condition that such payment accounts are accessible online. The account information, which only becomes accessible after you have activated the service, is used by KBC to carry out the requested service. If there are difficulties in connecting KBC to the account-holding bank, limited account information may be exchanged to resolve those problems.

KBC may also use the transaction data obtained to carry out its anti-money laundering and embargo inspections, to monitor and prevent payment fraud and to draw up the required reports. Such activities are mandatory, in accordance with applicable legislation. If you consent to the use of transaction details from other banks, KBC may also ultimately use this data from other financial institutions to optimise its commercial and service models and its profiling, such as for providing the proactive version of Kate (if you opted to use this). Based on that data, the bank can offer you an even more accurate and personalised service. You may withdraw this consent at any time by toggling ‘Data from other banks’ under ‘Profile’, ‘My privacy’, in the KBC Mobile app.

With ‘MobilePay’, another application on the KBC Mobile app, you can pay or receive money from one or more other parties by scanning a QR code. In order to receive money, you can send a payment request via social media apps that you have already installed on your smartphone. Once you have chosen a social media app, you leave the KBC Mobile app. You then send a default message to your contact using the chosen social media app. This message includes a link to the request for payment. However, this request does contain your customer number, surname and first name, and your account number. Your contact then chooses how to pay, which can be the KBC Mobile app but also another payment app.

For instance, if you have a company or children, for example, you agree that KBC Bank can also keep a record of those relationships and process the details of any associated persons. We may also process personal data of parties we have no direct relations with but who are involved in a relationship with us, like being the beneficiary under a life insurance policy or as a usual driver under a car insurance policy, or as a witness to an accident. If you provide information about your family members or related persons, we ask you to inform them of that fact (e.g., of a change of address that you’ve forwarded to us). If needed in order to properly provide services to your family, we may also report limited details on you to your family members, so as to avoid over-insurance for your family.

This has the following implications for legal entities.

• Please note that legal entities may only provide us with personal details of natural persons associated with them if those persons are sufficiently informed of this and, where necessary, have given their consent.
• The legal entity accordingly indemnifies KBC Bank in respect of all liability in this regard (vis-à-vis those concerned). For example, the company is responsible for complying with the data protection legislation when it submits lists of users for online applications or of beneficiaries of employee profit-sharing bonus programmes.
  

Only those with appropriate authorisation can access personal data, and then only if it is relevant for performing their duties. In principle, within KBC Bank and the KBC group, your personal data will only be processed and viewed by certain departments that:

• you now have, previously have had or would in future like to have a contractual relationship or contact with;
• require to be involved in the provision or aftercare of services;
• fulfil legal requirements (at group level) or requirements imposed by regulators or stemming from corporate governance principles;
• are tasked with preventing fraud, including money laundering, by employees and customers.

Some examples:

• When we are notified of the death of a customer of KBC Bank who is also a customer of other KBC entities in Belgium, we also inform those other entities.
• For direct debit mandates, you may take certain steps to block them (e.g., blocking the instruction or imposing a maximum limit). If you take such a step in respect of a direct debit in favour of a KBC company, KBC Bank may inform that company of the fact. The KBC company concerned can then more effectively assess the status of your direct debit instruction.
  

The individuals who are authorised to consult your data are moreover bound by a strict professional duty of confidentiality and must abide by all technical instructions to ensure the confidentiality of your personal data and the security of the systems in which the data is held.

KBC Bank uses the services of several processors to process personal data. These are companies that process data on the instructions of KBC Bank.

For the processing of personal data, KBC Bank makes use of a processor within the KBC group based in the European Union, namely KBC Group NV. Processing is carried out in Brno or Varna, for instance, by the Shared Services Centre, branches of KBC Group NV in the Czech Republic or Bulgaria.

Some of the data processing it does on the instructions of KBC Bank NV relates to audit functions and support functions (at group level), such as: financial reporting, the compliance function, the internal audit function, the inspection and risk function, complaints management, marketing support, support for invoicing , payments, credit processing, and ICT management for the KBC group.

For ICT management, KBC uses KBC Group NV, sometimes in conjunction with other processors within and outside the KBC group. KBC also uses the services of 24+ NV (www.24plus.be):

• as a contact centre through which you can get in touch with us;
• as a contact centre to get in touch with you on behalf of KBC for the purpose of making an appointment or conducting a satisfaction survey, to inform you about ‘personalised information’ and to invite you to make a choice;
• to log data into KBC apps;
• for administrative processing on the instructions of KBC;
• to provide information to the tax authorities and the police.

Examples include making appointments for branches, answering telephone enquiries, handling e-mails, and processing and executing online applications.

KBC works together with Everyone Invested, a subsidiary of KBC Asset Management NV, to analyse the conformity of individual investment portfolios with the KBC Investment Strategy. KBC exchanges anonymised data regarding the investment portfolios with Everyone Invested for this purpose.

KBC Bank uses specialist third parties in Belgium and abroad to perform some processing operations, such as payments.

They are:

• SWIFT (www.swift.com) with headquarters in Belgium and establishments in many countries, for the global message exchange;
• Visa (www.visa.com), Mastercard (www.mastercard.com), Idemia (www.idemia.com) and, in certain cases, Bancontact Payconiq Company NV (www.bancontact.com) for payments and (credit) card transactions worldwide;
• custodians and subcustodians of financial instruments worldwide that are subject to local financial regulations;
• institutions for the settlement and clearing of payments and securities transactions, such as the CEC (www.nbb.be) (payment systems) and Euroclear,
• transport companies (for cash and other valuables) and security firms;
• consumer credit intermediaries (i.e., instalment loans);
• entities that support KBC in complying with its anti-money laundering obligations, for example by developing and using money laundering detection models.

KBC can also cooperate with other processors such as Xerius Ondernemingsloket vzw. Xerius helps you to start up a business. During that process, Xerius may put you in touch with KBC to get your business account opened. Xerius then sends identification details to KBC. Xerius does this with your consent.

KBC Bank may also directly or indirectly (e.g., through KBC Group NV) engage the services of other processors, such as:

• consultants;
• third-party business introducers to fulfil its general duty of vigilance as laid down by law:
  • The obligation to identify and verify identities;
  • The obligation to identify the customer characteristics and the purpose and nature of the business relationship;
  • The obligation to update information.
• market research agencies such as Ipsos (www.ipsos.com), Profacts (www.profacts.be), GFK (www.gfk.com), Check market (www.checkmarket.com.), iVOX (www.ivox.be) and Intrinsiq (www.intrinsiq.be), for issuing invitations and carrying out surveys;

ICT and ICT security service providers like Microsoft, Cognizant, IBM, Amazon and HP, and specialist fintech and artificial intelligence companies such as Onfido for facial recognition during the customer onboarding process;

• marketing and communication agencies and similar companies, whereby KBC uses personal profile information on you that is held by them, along with the data it holds on you, to be able to make targeted offers to you via their channels (e.g., Google, Facebook, etc.);
• companies that support KBC in identifying and analysing your user behaviour in our apps and on our websites (e.g., Adobe, Dynatrace). In preparation for the analysis of Adobe Data Analytics, KBC may rely on the services of Amazon Web Services – Cloud Computing Services. The transfer and processing of personal data from, to and in Amazon Web Services is encrypted.;
• companies specialising in information archiving and access, such as Doccle (Doccle stores information on all our customers, including those that haven’t opted for digital record-keeping);
• companies specialising in solvency investigations;
• companies specialising in specific services that KBC uses when offering services to its customers, such as Meeco for offering the Digital Safe in the KBC Mobile app;
• printers for printing and the addressing of news magazines, cheques and transfer forms, badges, among other items;
• freelance translators and translation agencies;
• social media management tools (CX Social);
• sworn real estate experts;
• communications agency Motisha BV www.motisha.com;
• companies providing Platform as a Service (PaaS) and Software as a Service (SaaS) in the cloud, such as:
  • the Microsoft Dynamics CRM app used by KBC to maintain customer overviews;
  • VEE24’s video chat app for enabling digital communication with KBC;
  • the storage services of Microsoft Azure or Amazon, on which KBC can place its own platforms or software that process and store your personal data;
  • security services that screen Internet or e-mail traffic with KBC for cyberattacks or phishing e-mails;
  • TreasurUp, with whom KBC exchanges the contact details of company representatives to enable forex transaction analysis;
  • …
    

KBC always opts for the processing of personal data to take place within the European Union. If, however, KBC Bank cooperates with a third party, personal data may end up in countries where that third party’s data centres are located. In the case of KBC Bank, this may for example mean that some of your data is processed in countries outside the European Economic Area (‘EEA’), i.e., India, Great Britain, Israel, Australia or the United States of America. Even if the data centre is located within the EEA, access from outside the EEA may still be possible because of the commitment to manage incidents around the clock, whereby the standard ‘follow-the-sun’ principle is applied to switch their incident team at night to the US and then Asia. This is the case, for example, when KBC directly or indirectly cooperates with parties such as Amazon, Google, Microsoft or Onfido.

The law in some countries outside the EEA (like Israel, the United States of America and India) doesn’t always afford the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, KBC Bank can cover the deficiency by, say, agreeing the required contractual guarantees with those third parties (such as a model approved by the European Commission), providing control mechanisms and implementing technical and organisational measures.

As a data controller, KBC may – in addition to using other processors – use other service providers or third parties, such as lawyers, notaries public or doctors, who themselves are data controllers.

This is, for instance, the case for KBC Securities Services, which is a part of KBC Bank. KBC Securities is the controller of your personal data when providing services in its capacity as a broker or custodian of securities. To this end, KBC Securities Services works with other third parties such as asset managers and private bankers. They in turn offer their own services, such as investment advice, and therefore also act as a controller of your personal data. When that is the case, another – usually shorter – data protection statement may apply since the service is also more limited. If you purchase a service from KBC that is covered by a shortened or non-standard data protection statement, you will be duly advised of this. The most recent version of the statement applying to services provided by KBC Securities Services can be viewed at www.kbc2s.com.

KBC can outsource the collection of arrears on, say, a loan, to specialised companies that themselves are data controllers. KBC also distributes its own products and services in conjunction with third parties that refer their customers to KBC for, for example, a loan. They do not act as intermediaries in that regard and only pass on to KBC the personal data needed to prepare tenders or simulations. The third parties are responsible for passing on the personal data.

As a bank-insurer, KBC Bank cooperates with KBC Insurance, with both companies acting as data controllers with respect to personal data.

KBC can itself act as a third-party business introducer for, for example, Payconiq, Belgian Mobile ID (itsme). KBC then processes personal data as data controller. KBC transfers this personal data to the third party. Likewise, a third party may act as a third-party business introducer for KBC.

When a mortgage expires and mortgage renewal is needed, KBC will call upon the services of a notary public. KBC provides the notary public with the national registration number(s) of the borrower(s), a copy of the original registration model, the first authenticated copy of the deed or other useful information that allows the notary public to renew the mortgage registration. When as a merchant you want to install an electronic payment terminal and you ask KBC to act as an intermediary in that regard, KBC will pass on your contact details to Worldline NV.

As customer, you can ask for your balance and transactions via so-called virtual ’Voice Assistants’ (Alexa, Google Assistant, etc.). In order to do this, you must first give KBC your consent to transfer the necessary account information to that service. The further processing, such as the electronic pronouncement of your balance by the service, is carried out entirely by the third party that provides the service to you. KBC is not responsible for that.

KBC develops discussion forums like FarmCafe, which shares contact details and information with those taking part in a discussion

KBC acts as a processor of your personal data on behalf of third parties further to the execution of orders at a number of stock exchanges or when acting as a broker. This is, for instance, the case for KBC Securities Services.

KBC Bank ensures that strict rules are followed and that the processors concerned:

• only have the data they need in order to perform their tasks;
• have given KBC Bank a commitment that they will process this data securely and confidentially and only use it for carrying out the instructions given to them.

KBC Bank will not be liable if these processors (according to law) disclose customers’ personal data to local authorities or if incidents occur at those processors despite the measures they have taken. KBC ensures that the European data protection standards for personal data are applied worldwide within companies belonging to the KBC group and their branches. KBC ensures that companies and corporate branches of the KBC group take appropriate measures to protect the data of legal persons.

KBC Bank takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorised parties or being accidentally altered or deleted. Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself, and extra checks are also carried out by a specialist department in this regard.

To make online banking and investment services as secure possible, security experts at KBC continuously analyse cyber-criminal activity so that they can hone the relevant security measures accordingly. Read all about it at www.kbc.be/secure4u . Together with you, we need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we must aim to use a different means of communication or to limit the amount of information sent.

KBC websites and apps may contain links to websites or information of third parties. KBC Bank does not check such websites or information. Parties offering these websites or this information may have their own privacy policies in place, which we advise you to read. KBC is not responsible for the content of those websites, their use or their privacy policy.

KBC Bank sometimes facilitates the publication of information (including personal data) via social media such as Twitter and Facebook. Bear in mind that these channels have their own terms of use, with which you must comply. Publishing information on social media may have consequences (some of which may be undesirable), including for your privacy or that of persons about whom you share information. You may not be able to delete such published information quickly. You should therefore assess the consequences yourself, because the decision to disclose information on such media ultimately lies with you. KBC does not accept any responsibility in that regard.

KBC uses your personal data where KBC has a clear aim in mind. Once that aim no longer exists, we delete the data.

The period for which your personal data has to be retained is defined by law (usually till ten years after the end of a contract or execution of a transaction. For commercial claims it is 30 years after the end of a contract or execution of a transaction). The period can be longer where needed for the exercise of our rights. If no retention period is stipulated by law, it can be shorter.

For some applications, a more extended time horizon may be necessary, such as for carrying out surveys and risk and marketing models. Some insights only get clearer once they are viewed over a longer time span. This can result in the retention period being extended by ten years on top of the standard periods. As has been stated, KBC will in all cases sever connections to individuals as quickly as possible and work only with aggregated or anonymised data.

Commercially valuable information that you personally registered in the KBC Touch application ‘Profile yourself’ or that was registered at the branch, with the agent or in KBC Live, for example, is retained by KBC for five years.

Personal data on potential customer prospects is used by KBC for a maximum of five years unless, in the meantime, there has been contact with the prospect. In that case, a new maximum five-year period starts. Prospects can always ask for their personal data to be removed.

The retention period that applies to the NC Contact centre application, in which 24+ keeps contact details of potential new customers, is limited to three months.

The retention period of your conversations with Kate depends on the purpose for which KBC needs them. If you communicate with Kate verbally, KBC will not retain the audio conversation itself but only the text that KBC derives from it. KBC retains this text in the same way as your chat conversations with Kate. The retention period defined by law is the point of departure for Kate conversations. In addition, KBC uses these for three years for internal reporting on the use of Kate or for modelling and optimisation purposes.

As KBC Bank has to comply with its confidentiality obligations and with the data protection legislation, it may only answer queries from third parties if they arise pursuant to a legal requirement or a legitimate interest, doing so is a prerequisite for performing the contract or the data subject has given their permission.

In the last case, it actually advises requesting the information directly from the data subject.

KBC Bank declines liability if, as a result of foreign legal obligations, the lawful recipients of personal data require to pass personal data about customers on to local authorities. Or if they process personal data without an adequate level of security

KBC Complaints Management provides answers to the questions posed by Ombudsfin, the ombudsman for banking.

If you as third party have queries about customers, for example because you work for the police or are a notary public or lawyer, you can contact KBC’s Third-Party Enquiries department, Brusselsesteenweg 100, 3000 Leuven. This specialist department will answer your query subject to bank secrecy obligations and the privacy laws. KBC Bank branches and other departments will therefore refer you to that department.

There are certain aspects of (technical) data processing over which KBC Bank has no, or at best insufficient, influence and for which it cannot guarantee total security. Examples include the Internet or mobile communications (e.g., smartphones).

If hackers are active, KBC Bank does not always succeed in defeating their cyber-attacks in time. It sometimes does not even know that it is happening, for example if a hacker manages to obtain your identification details by installing illegal software on your computer (spyware) or by creating a fake website (phishing). You will find more information on secure online banking at www.febelfin.be (‘safe online banking’).

KBC Bank therefore suggests that you regularly take a look at the KBC website for information on safe online banking: www.kbc.be/secure4u. This site always contains the most up-to-date tips and recommendations to keep you secure online.