c warning
Something went wrong. The page is temporarily unavailable.
Private Persons
Businesses
Private Banking
Commercial Banking
All websites
Find a branch near you Got a question, problem, complaint?
Login Login Login Login Login Login
Search Join us Open a current account Login Login Login Login Login Login

Data transfer outside of EEA​

Back

Legislation in some countries outside the EEA (like the United States of America or India) doesn’t always afford the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, KBC Bank can cover the deficiency by, say, agreeing the required contractual guarantees with those third parties (such as a model approved by the European Commission), providing control mechanisms and implementing technical and organisational measures.

The transfer of personal data to countries outside the European Economic Area or to international organisations was screened by KBC Brussels. This transfer either takes account of the European Commission’s list of safe countries or is based on reasonable and sufficient security measures or falls under a specific derogation from the GDPR.

The most important aspects of international data transfer are explained in more detail below. Feel free to e-mail mypersonaldata@kbc.be if you have any questions.

KBC Brussels may export some personal data relating to Corporates (e.g. contact details of representatives) to its foreign branches in Hong Kong, China, Singapore and the US, provided the corporate customer also operates in the country in question.

KBC Brussels always opts for the processing of personal data to take place within the European Union. Given the nature of certain processes (for example, when round-the-clock support is required), in some cases personal data may be transferred to processors outside the EEA.

Even if the data centre is located within the EEA, access from outside the EEA may still be possible in some cases (e.g. in case of technical problems, or when round-the-clock support is required). This is also considered data transfer outside the EEA.

For some processes, the processors’ data centres may be located outside the EEA or accessed from outside the EEA, as is the case for the United States of America.
Even if the transfer is subject to an adequacy mechanism (such as the EU-US data protection framework in the United States of America), KBC Brussels will still ascertain that third parties provide an adequate level of protection.

Some examples of processors and the data categories​

- Microsoft: Basic identification and contact details, data relating to product ownership and product usage, etc.

- AWS: Basic identification and contact details, data relating to product ownership and product usage, financial data, etc.

- Adobe: Basic identification and contact details, data relating to product ownership and product usage, financial data, etc.

Similarly, when data is transferred to another controller in a country outside the EEA, these transfers are screened by KBC Brussels and the necessary measures are applied.
Some examples of controllers outside the EEA that may receive personal data from KBC Brussels (valid on 6 May 2024):

Google (United States of America): Basic identification and contact details, data relating to product ownership and product usage, etc. 

You can find the pdf copy of the KBC Brussels Privacy Statement here.