Skip to navigationSkip to loginSkip to content

Privacy policy

Last updated 12/2023

Respect for privacy and more specifically, the protection of personal data ("PD", "data") against unauthorised disclosures or processing, is a primary consideration for Keytrade Bank ("Keytrade Bank", "the Bank", "us", "our").

The purpose of this Privacy Policy (the "Policy") is to explain clearly and simply to you how the Bank collects, processes, modifies, transfers, stores, archives, views and deletes your PD ("you", "your").

PD means any information relating to an identified or identifiable natural person, in particular by reference to an identifier (which may be a number). In other words, as soon as a person can be identified on the basis of information available to the Bank, any data relating to this person (e.g., surname, first name(s), age, bank account number, address) are PD.

This Policy applies both to PD which are initially collected when you visit the Bank's Website and when you contact the Bank, and to data which are subsequently obtained by the Bank (for example, when you sign up to an additional product or service, or when you update data you initially provided).

The processing of your PD is subject to compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, known as the "GDPR", as well as all regulations applying to PD.*

For more information about data protection, please visit the website of the Belgian Data Protection Authority at https://www.dataprotectionauthority.be.

This Policy is updated regularly. The Bank invites you to frequently check its Website to see the version of the Policy currently in force.

All terms not defined in this Policy and written with a capital letter have the meaning described in the Bank’s General Terms and Conditions.

*These include:

The Law of 30 July 2018 on the protection of individuals with regard to the processing of PD

The Law of 13 June 2005 on electronic communications

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

1. Who is the data controller for your PD?

Keytrade Bank, the Belgian branch of Arkéa Direct Bank SA (France), situated at Boulevard du Souverain 100, 1170 Brussels and registered under CBE number BE 0879.257.191., is the data controller for your PD. As a branch of Arkéa Direct Bank SA (France), itself a subsidiary of Crédit Mutuel Arkéa, the Bank is part of the Crédit Mutuel Arkéa group. Within Keytrade Bank, the DPO Team is responsible for the daily monitoring of GDPR issues (first point of contact) and for compliance with the regulations applicable to PD.

If you have any questions, would like to submit a request to exercise one of your rights under the GDPR or are faced with a problem concerning your PD, you can contact our DPO Team by e-mail at dpo@keytradebank.com or by post at Boulevard du Souverain 100, 1170 Brussels.

Keytrade Bank has appointed a Data Protection Officer ("DPO"), whose role is in particular to inform and advise the Bank on all matters relating to the protection of PD.

You can contact the Data Protection Officer:

By post: Data Protection Officer – Crédit Mutuel Arkéa – 1 rue Louis Lichou, 29808 Brest Cedex 9, France

By e-mail: protectiondesdonnees@arkea.com

2. Which categories of PD are processed?

The various categories of PD that the Bank collects in the context of the banking relationship or when you contact it are as follows:

Identification data: your surname, first name(s), address, identity card number, national registration number, email address, telephone number, login information, employment status;

Transaction data: data relating to your bank and stock market transactions, including your account numbers, card numbers, banking communications, withdrawals, transfers relating to your accounts, any defaults on loan repayments to the Bank, etc.;

Financial data: your bills, payslips, income, the value of your personal property or real estate, repayment capacity, the origin of your funds or assets, etc.;

Personal data: your surname, first name(s), age, gender, date of birth, place of birth, marital status and nationality;

Household composition data: your family situation, details about other members of your household, etc.;

Data relating to your level of knowledge and experience or to your investor profile: your knowledge and experience of financial instruments and your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance;

Data relating to satisfaction surveys or from the contact you have with the Bank; Audiovisual and electronic data: video surveillance recordings from our branches, telephone recordings from our customer service department or records of email communications;

Data concerning your legal capacity to enter into certain contracts or to perform certain actions: in proceedings relating to collective debt settlement, bankruptcy or incapacity, inclusion on the blacklist of the Central Individual Credit Register of the National Bank of Belgium;

Data associated with the whistleblowing system: the identity, duties and contact details of the whistleblower (except in the case of anonymous reporting) and/or of the people forming the subject of the whistleblowing report, including, where applicable, their company number; the identity, duties and contact details of the people involved in receiving and handling the whistleblowing report (except in the case of anonymous reporting);

the information collected in connection with verification of the facts reported; the reports on the verification operations; and the measures taken following the reporting; Data relating to the contributions of individuals who submit reviews on products, services or content, including their pseudonym;

Data to meet our statutory and regulatory obligations: data, including special data, to comply in a non-limiting way with our statutory obligations (KYC, KYT), regulatory obligations (MiFID, SRD II), court decisions, and applications for attachment;

Data obtained via cookies and other similar technologies: IP address, browser version, how you behave on the website, how many times you have visited the Transaction Website (logs). For more information, please refer to our Cookies Policy.

3. When does the Bank collect your PD?

The Bank collects your PD on the basis of the following sources:

3.1 Data reported

These are all the data that you or a third party explicitly and directly provide to the Bank (surname, first name(s), address, telephone number, email address, employment status (self-employed, employee, etc.)).

These data may be transferred:

When you open a bank account, when you update them or when they are required to allow you to sign up to a new service or product.

When you take part in seminars, tutorials, competitions, events, etc. organised by the Bank, you will need to communicate data making it possible to identity you and contact you.

By a third party, provided that this transfer is necessary (for example, if you are the beneficial owner of a legal entity).

3.2 Public sources or sources accessible to the Bank

When processing your application to open an account or subscribe to a product, the Bank may have to complete or check certain data in registers which are public or to which it has access (for example, the Crossroads Bank of Enterprises, the Belgian Official Gazette, the National Register or the Central Individual Credit Register. For more information on this last point, please refer to the section on the Central Individual Credit Register ("CCP")).

3.3 Use of software

When you use the mobile application (the "Application") developed by Keytrade Bank or connect to the Transaction Website, your data are collected (e.g., logs in computer systems, data relating to electronic signatures.)

3.4 Data disclosed during interactions

When you answer a questionnaire, send an email, reply to a message, and/or make a telephone call, the Bank collects and stores the data contained in these files.

3.5 Data collected by or through third parties

For certain services, the Bank uses third parties who collect data about you and share these data with the Bank (for example, on the use of your VISA card, recovery of debts, etc.) The Bank will process these data for specific purposes.

The same applies to PD collected when you interact with us on social networks (such as Facebook or Instagram), or when you leave a review on a platform specialised in collecting customer reviews (such as Trustpilot); the Bank may indirectly collect your PD to respond to your questions, reviews and/or comments.

4. In what circumstances are you required to provide your PD to the Bank?

The Bank undertakes to only ask you for the data it needs to properly examine your request, either when you open a bank account or when you subscribe to a service and/or product, or when you update your data (the concept of privacy by default).So that this concept is respected, every request for information sent to customers and prospective customers (for example, when they sign up to a product online) has been reviewed by the DPO Team, who ensures they are able to justify why each piece of data requested is necessary in view of the specific purpose for which it is collected.

Most of these data are requested so that the Bank can comply with the applicable PD regulations (e.g., regulations on the prevention of money laundering and the financing of terrorism, on markets and financial instruments, and on market abuse).

You do, of course, have the right to refuse to disclose these data, but if this refusal prevents the Bank from complying with its legal obligations, it will be obliged to refuse you the service and/or product or to cancel the banking relationship.

Since the Bank is an online bank, it needs an email address and a mobile phone number in order to provide you with certain information that it must send you. Without these data to validate the opening of a bank account, the Bank cannot enter into a customer relationship with you.

If an item of data is not required by law, the Bank indicates this and you can continue your request for products and/or services without providing this data. These data are mainly intended to improve your customer experience (by personalising your customer environment: adding a photo, naming your accounts, adapting the display of your customer area, etc.)

In the remainder of this section, the Bank will specify the different PD processing activities it carries out. In general, the Bank processes your data on the following legal grounds:

In order to comply with all statutory and regulatory provisions applicable to the Bank;

In connection with the performance of the contract or with pre-contractual measures;

In order to pursue the Bank's legitimate interests, maintaining a balance between these legitimate interests and respect for your privacy, or;

When you have given your consent for a specific purpose or purposes.

5.1 Statutory obligations

The Bank is bound by a number of statutory and regulatory obligations that require us to process your PD. These obligations mainly fall within the areas mentioned below.

5.1.1 Identification, Know Your Customer (KYC) and Know Your Transactions (KYT )

When you open your bank account and for as long as it remains open, the Bank must comply with its obligations to identify and know its customers (KYC) and to monitor transactions (KYT), contained in the law of 18 September 2017 on the prevention of money laundering and the financing of terrorism and the restriction of the use of cash ("AML-FT"). It therefore has an obligation to help prevent money laundering and the financing of terrorism by identifying its customers, representatives and beneficial owners, to establish a risk profile and to monitor operations and transactions.In order to do so, the Bank will process your data several times and may need to ask you for additional information.

If the Bank considers that the regulatory conditions are met, it must also transfer your data to the Financial Intelligence Processing Unit (FIPU).

5.1.2 Criminal investigations – Public Prosecutor charges

In the context of criminal investigations and Public Prosecutor charges, the authorities may request that the Bank supplies certain customer banking relationship information. Subject to strict compliance with the regulations, the Bank will share your data with the authorities permitted to make such requests.

5.1.3 Compliance with court decisions

The Bank has a statutory obligation to comply with decisions and judicial documents enforceable against it. Therefore, if you have been declared without capacity or bankrupt, for example, the Bank is obliged to process your data in order to properly respond to the decision as soon as it becomes aware of it. The Bank may also need to communicate information to the parties involved (lawyers, notaries, guardians, provisional administrators, etc.). The Bank only shares the data the party involved is entitled to access, either by virtue of a ruling or by virtue of the regulations.

5.1.4 Attachment of bank accounts

When an attachment (enforceable or preventive) is carried out on your accounts in compliance with the regulations, the Bank is required to provide certain information relating to your accounts in order that the attachment may take effect. You will be informed of the attachment by the process server or any other authority competent to carry out attachments.

5.1.5 Inheritance and divorce

In the context of inheritances, inheritors are entitled to obtain the account statements of the deceased’s bank accounts in order to monitor and prevent any concealment of an inheritance. The Bank may need to transfer your PD if they are included on the account statements.

In the context of a divorce, the officiating notary may request a statement of accounts from the parties on the date of the divorce in order to be able to carry out the settlement and division of assets.

5.1.6 Market Abuse (Market Abuse Regulation)

The Bank has an obligation to help combat market abuse, by identifying particular information and reporting it to the relevant authorities or partners with which the Bank works on these financial markets.

The Bank may therefore need to transfer your PD to the Financial Services and Markets Authority (FSMA) in the context of reporting by the Bank, FSMA investigations or a cooperation treaty with a foreign administration, subject to compliance with regulations.

For the identification of market abuse, the Bank sends certain pseudonymised PD relating to financial transactions to LiquidMetrix or to our brokers.

5.1.7 Markets in Financial Instruments Directive (MiFID)

The Bank has an obligation to protect investors in financial products and services by identifying, depending on the services, their level of knowledge and experience, their investor profile and category, and their investment capabilities and objectives.

5.1.8 Shareholder Rights Directive (SRD II)

In order to comply with the Shareholder Rights Directive, one of the Bank’s obligations is to disclose the PD of the shareholders of a listed company so that the company, or a third party appointed by it to this end, may contact its shareholders in order to organise their participation and voting at the general meeting.

5.1.9 PD breaches (GDPR)

In the event of a breach of your PD which entails a risk for your rights and freedoms, the Bank will share data, which are in principle anonymised, with the Belgian Data Protection Authority ("DPA") in order to inform them of the PD breach and to provide them with the information needed to assess the seriousness of the breach and to explain the remediation measures taken.

In the event that the breach entails a high risk for your rights and freedoms, the Bank will inform you and send you a summary of the measures taken to mitigate the risks for your rights.

Records relating to PD breaches are kept for a period of five years (for more information about the different retention periods applied, please refer to the "Retention Period" section).

5.1.10 Exercising your rights under the GDPR

When you exercise one of the rights granted to you by the GDPR, the Bank is required to assess your request and, if there is no reason to refuse it, to provide a helpful response to this request.

The file relating to your application will be kept for a period of five years (see the “Retention Period” section).

5.1.11 Central Point of Contact ("CPC")

In order to comply with the Royal Decree of 17 July 2013 on the central point of contact, each year, the Bank sends your data (identification, bank accounts, contracts in progress) to the National Bank of Belgium.

The retention period for the report sent to the National Bank of Belgium is eight years in accordance with Article 8 of the aforementioned Royal Decree. At the end of the retention period, data that have expired are irrevocably deleted by the National Bank of Belgium.

5.1.12 The Central Individual Credit Register ("CCP")

When you take out a loan, the Bank has a statutory obligation to record this information in the Central Individual Credit Register (Royal Decree regulating the Central Individual Credit Register). The same applies when you are in payment default; the Bank must inform the National Bank of Belgium of the default. You will be notified of your inclusion on the NBB's blacklist by post.

5.1.13 Mortgage loans and consumer loans

5.1.13.1 Code of Economic Law

The Code of Economic Law requires the Bank, among other things, to check the accuracy of the information sent, to assist you in your loan application and to advise you. In order to comply with its statutory obligations, the Bank will have to process your data. When documents (e.g., European Standardised Information Sheet, Special Terms and Conditions) need to be drawn up in connection with your mortgage loan application, we send your data to Crefius (for more information on the role and involvement of Crefius, please see the section "Keyhome – Crefius").

5.1.13.2 Financial risk management

The Bank has a regulatory obligation to manage its financial risks and its risk exposure. To assess its risks, the Bank determines risk scores and uses statistical risk models that are based on your PD.

5.1.13.3 AnaCredit – Basel III

Both the AnaCredit Regulation and the Basel III accord are applicable to the Bank’s loan activities. In order to comply with these regulations, the Bank sends PD of customers who have taken out loans with the National Bank of Belgium (AnaCredit) and also with Crédit Mutuel Arkéa. Crédit Mutuel Arkéa consolidates the data relating to loans with those of the other entities of the Crédit Mutuel Arkéa group before transmitting its report to the European Central Bank (Basel III).

5.1.13.4  Mobilisation of bank receivables ("securitisation" of mortgage loans)

The Bank may process and disclose certain PD (such as the borrower's first name and surname, etc.) in the context of the sale or allocation of bank receivables (including mortgage loans on real estate), in accordance with the applicable regulations (the Law of 15 December 2004 on Financial Securities, the Mortgage Law of 16 December 1851, the Law of 3 August 2012 on miscellaneous measures to facilitate the mobilisation of receivables in the financial sector and the Code of Economic Law). These transactions may include securitisation or other forms of mobilisation of bank receivables.

5.1.14 The Common Reporting Standard (CRS)

If you are a resident for tax purposes of a country that is a member of the CRS other than Belgium, the Bank has a legal obligation (in accordance with the Law of 16 December 2015 regulating the communication of information relating to financial accounts by Belgian financial institutions and the FPS Finance, as part of an automatic exchange of information at an international level and for tax purposes) to include you in its reporting to the Belgian tax authorities, which will, in turn, send the data concerning your assets to the relevant foreign tax authority.

The reporting that the Bank produces in the context of the CRS is kept for a period of 7 years from 1st January of the calendar year following the calendar year in which the data were communicated to the relevant Belgian authority. You can ask the Bank for a copy of the information it has provided to the tax authority under the CRS.

5.1.15 The Foreign Account Tax Compliance Act (FATCA) and Qualified Intermediary (QI)

If you are a US Person under American regulations, the Bank is required to refer you to the American tax authorities as an account holder or beneficial owner and specify your account credit balance.

If the Bank considers that the regulatory conditions are met, it will include you in its IQ reporting to the Belgian tax authorities (in accordance with the Law of 16 December 2015 regulating the communication of information relating to financial accounts by Belgian financial institutions and the Federal Public Service Finance, as part of an automatic exchange of information at an international level and for tax purposes) intended for the US Internal Revenue Service (IRS). And lastly, the Belgian tax authorities (Federal Public Service Finance) will communicate your PD to the relevant US tax authorities.

The reporting that the Bank produces in the context of FATCA and IQ regulations are kept for a period of 7 years from 1st January of the calendar year following the calendar year in which the data were communicated to the relevant Belgian authority (in accordance with Article 12(4) of the aforementioned Law of 16 December 2015).

5.1.16 Directives for Administrative Cooperation (“DAC”)

On the basis of the regulations and published information, your data may be transmitted by the Bank in order to comply with the European Directives for Administrative Cooperation ("DAC") in the field of taxation, as transposed into Belgian law.

5.1.17 Deposit Guarantee and Resolution Fund ("FGDR")

The purpose of the FGDR is to protect your assets up to an amount of EUR 100,000 in the event of the failure of the Bank. Since the Bank is a branch of Arkéa Direct Bank (France), your assets must be added to any you hold in an account with Arkéa Direct Bank (trading name Fortuneo). The Bank and Arkéa Direct Bank submit a joint report to the French FGDR.

The reports generated by the Bank and forwarded to Arkéa Direct Bank in connection with the FGDR are kept for one month (they are produced daily).

For more information about the FGDR, please refer to the information document on how your deposits are protected: https://www.keytradebank.be/files/documentcenter/docsProtectionOfDeposits_fr.pdf.

5.1.18 Dormant accounts

If your bank accounts fall within the scope of the legislation on dormant assets, we must process your data in order to attempt to contact you before transferring the assets to the Caisse des dépôts et consignations (Deposit and Consignment Office).

Once the assets on the account have been transferred to the Caisse des dépôts et consignations (Deposit and Consignment Office), your bank account is closed and your data will no longer be processed unless you open a new bank account.

5.1.19 Audits by the authorities

In the event of an inspection by the competent authorities, whether Belgian, EU or foreign, the Bank must provide certain information and access to the authorities so that they can fulfil their duty of inspection under the regulations. Your PD may be transferred or viewed during these checks.

The list of statutory and regulatory areas that govern how the Bank must provide, transfer or process your PD may change.

5.1.20  Whistleblowing system

Keytrade Bank has set up a whistleblowing system. This processing is carried out in order to comply with the requirements relating to the whistleblowing system established by the Law of 28 November 2022 on the protection of people reporting breaches of EU law or national law observed within a private sector legal entity (the "Whistleblower Protection Law").

You can make a report to our Regulatory Department by emailing whistleblower@keytradebank.com. The processing of your PD is strictly limited to reporting coming under the categories mentioned in the Whistleblower Protection Law. If you file a whistleblowing report or are the subject of a whistleblowing report, your PD (including the facts reported, the information gathered in connection with verification of the facts reported and the reports on verification operations and the follow-up to the whistleblowing report) will be processed for this purpose.

5.2 Pre-contractual relationship

5.2.1 Before opening a bank account

Before it opens a bank account or approves your subscription to a product or service marketed by the Bank, the Bank may, and in some cases must, obtain and process certain PD, in particular in order to:

  • respond to your application;
  • provide assistance if you encounter a problem during the online process of registering for a product or service;
  • take an application further, assess suitability and appraise the risks associated with a potential product or service;
  • assess your creditworthiness, or possibly the creditworthiness of people connected to you, when you make an application for credit.

More specifically, the Bank processes your PD in a pre-contractual context as follows:

  • If you open your bank account online using an identity card reader, your data will be read by software installed on the Bank’s servers. This software collects your identity card data and modifies them so that they are in a readable format for the Bank’s computer system.
  • If you open your bank account using a dedicated application (itsme®), your PD will be passed on to the Bank by the company that developed the application (Belgian Mobile Wallet NV/SA).

Any document you provide in connection with the bank account, including the bank account application form, is archived using the company’s archiving services (Merak NV/SA).

When processing your application to open a bank account, the Bank consults the following databases:

  • The National Register if you reside in Belgium (Belgian ID card) via the non-profit organisation Identifin (if you are not a Belgian resident, you must provide us with the necessary documents, including official proof of address and your passport, so that the Bank can comply with its regulatory obligations);
  • The World-Check database (Refinitiv), to fulfil its Know Your Customer ("KYC") obligations before opening any bank account.
  • Any other public source it deems necessary in order to verify the accuracy of the data entered.

5.2.2 Opening a bank account

If your application to open a bank account is accepted, the Bank transfers the PD necessary to generate and send you the connection method you have selected (Softkey and/or Hardkey) to the company OneSpan NV.

In order to open your bank account, the Bank will create your profile in its computer system and take specific steps to open the bank account (e.g., creation of account numbers, login and password)

If you use the bank switching service to transfer your banking data from your previous financial institution to the Bank, your data will be forwarded to the Bank via the non-profit organisation the Centre for Exchange and Clearing (CEC).

5.3 Contractual relationship – products

5.3.1 Account management

The management of your various accounts (calculation of interest, overview of accounts and transactions, provision of documents, tax on stock market transactions, account information service, etc.) is carried out entirely internally at the Bank. Your PD are therefore not passed to third parties for this purpose.

However, if a specific problem is encountered, your data may be sent by the Bank to parties involved, in order to exchange information on the management of your account. This will be the case, for example, if you have entered a transfer to an incorrect recipient and want to cancel it or have been the victim of a scam. The Bank will only transmit the data necessary for the organisation to be able to process the request.

5.3.2 Bank cards (credit & debit)

5.3.2.1 Credit cards

Your credit card application is initially examined automatically (see section 8.3 of this Privacy Policy below). If the system detects a cause for automatic exclusion, your application will be declined immediately. In this case, you can always request a manual reconsideration of the rejection. Where no automatic cause for exclusion is identified, your application is examined manually by an applications manager. If your credit card application is approved, your data will be sent to:

  • Thales Group, so that the card may be physically created and dispatched
  • Monext, a simplified joint-stock company under French law, for the computerised creation of the card and generation of the PIN. In the event of a change to your card (change of PIN, card renewal or replacement, etc.), your data will also be sent to Monext.
  • VISA Belgium SCRL sends the Bank data relating to your card transactions.
  • The insurance policy associated with your credit card has been entered into with Inter Partner Assistance SA. If you make a claim, there will be an exchange of information between the Bank and Inter Partner Assistance relating to the claim.
  • If you block your card using the equensWorldline Cardstop service rather than the Transaction Website, your data will be processed and transferred by equensWorldline.
  • WEngage SA - If you report card fraud on +32 2 679 90 00 outside the Bank’s opening hours, your data will be processed and transferred by WEngage SA.
5.3.2.2 Debit card

Your data are forwarded to:

  • Thales Group, so that the card may be physically created and dispatched
  • Monext, a simplified joint-stock company under French law, for the computerised creation of the card and generation of the PIN.In the event of a change to your card (change of PIN, card renewal or replacement, etc.), your data will also be sent to Monext.
  • Bancontact, VISA or Maestro:For each debit card payment, your data are processed by Bancontact Payconiq Company, VISA Belgium SCRL or Maestro International, and sent to the Bank. The fact that your PD are sent to Bancontact, Payconiq Company, VISA Belgium SCRL or Maestro International is shown on your debit card
  • If you block your card using the Worldline Cardstop service rather than the Transaction Website, your data will be processed and transferred by Worldline.
  • WEngage SA - If you report card fraud on +32 2 679 90 00 outside the Bank’s opening hours, your data will be processed and transferred by WEngage SA.

5.3.3 Account aggregation service

The Bank will only disclose the data required for particular payment service providers to take action (such as payment initiation service providers and account aggregators) once you have signed up to the service.

PSD2 data relating to payment initiation services and account aggregators are kept in the Amazon Web Services Cloud. Working alongside Amazon Web Services, the Bank has put in place all technical and organisational measures needed to guarantee the security of data when this data transfer is carried out. These measures are in accordance with the applicable professional standards and are reviewed at regular intervals to ensure that they remain appropriate.

5.3.4 Cashback service – PayLead

The Bank offers a cashback service in association with Paylead. If you subscribe to this service, your data will be sent to Paylead in pseudonymised form. Paylead requires information relating to your card payments (credit and debit) to determine the cashback to which you are entitled. Your data will no longer be forwarded as soon as you unsubscribe from the cashback service.

For more information on how Paylead processes your PD, please read the Paylead Privacy Policy available in the Cashback section of the Application.

5.3.5 Stock market orders – custodians

For placing and executing orders on the stock market, your PD are not usually passed on to an intermediary.The same applies to the custodians with whom the Bank cooperates.

However, the Bank may need to disclose your PD to intermediaries or custodians in the context of information requests made under the regulations in force.

5.3.6 KEYPLAN & KEYPRIVATE

If you sign up for the KEYPLAN or KEYPRIVATE products, the Bank will take the necessary steps to open the custody accounts associated with your KEYPLAN or KEYPRIVATE product, and will enter the information required in its computer system so that it can offer you your chosen service.

None of your PD is shared with a third party in order to offer you these services.

5.3.7 Keytrade Pro – Saxo Bank

If you subscribe to the Keytrade Pro service, your PD will be sent to Saxo Bank in order to fulfil the contract, which includes for the execution of your orders, as well as to comply with regulations.

5.3.8 Payment of invoices - Zoomit

If you have registered for the Zoomit service (CodaBox SA) for the payment of your bills, the Bank and Zoomit will process your PD in order to fulfil the contract you have entered into with Zoomit.

For more information, please consult Zoomit’s Privacy Policy at https://www.zoomit.be/fr/respect-de-la-vie-privee/ (in French).

5.3.9 Debt recovery

When the Bank holds a claim for credit (balance exceeded, unauthorised overdraft, etc.) against you which has not been repaid within a certain period, it will send your data to its partner with a view to recovering the debt, in compliance with the regulations in force.

If your data are passed on to our partner, you will be notified by post and/or any other means of electronic communication.

5.3.10 KEYHOME - Crefius

As soon as you submit a mortgage loan application, the Bank will send your data to Crefius, with whom it cooperates for the drafting of documents relating to your mortgage loan application (ESIS, loan offer, etc.)If you sign a mortgage loan agreement with the Bank, payment tracking and the risks of your loan are managed by Crefius (recovery of outstandings, one-off repayment, drawdown by tranche, etc.)

5.3.11 KEYHOME – partners

Keytrade Bank has entered into partnerships for the marketing of its KEYHOME product to the customers of certain partners. These partners act in their capacity as credit intermediaries or introducers of business. They send your data to the Bank, either to be able to contact you following your interest in the product, or to examine your mortgage loan application specifically.

You will be informed by the partner before any transfer of PD to the Bank.

For more information, please consult the privacy policy of the partner in question.

5.2.12 Complaints

As part of its handling of complaints, the Bank must process, and possibly transfer, PD to the parties involved (the person making the complaint, the persons involved in processing the case, Test Achats, Ombudsfin, etc.) in order to be able to respond to the complaint and defend its interests. The Bank will only process and disclose those PD it deems necessary for due and correct handling of the claim.

5.3 Contractual relationship – means of communication

5.3.1 Telephone calls

Any telephone interaction between the Bank and its customers and prospective customers is kept for evidentiary purposes and/or quality analysis.

The legal grounds for recording telephone calls lies in taking pre-contractual measures or in the fulfilment of the contract if a banking relationship already exists.

The Bank may also keep telephone recordings when such an obligation is provided for by law and rendered necessary by the specific purpose. This refers in particular to the following specific purposes: if your appeal takes place in the context of a complaint or legal proceedings or if we need to keep the recording as part of one of our legal obligations (AML-FT, Market Abuse, MiFID). The same applies to notification in the event of loss, theft, misappropriation or any unauthorised use of your payment instrument.

The retention periods for telephone recordings are defined in the section provided for this purpose (see section “Retention periods for telephone and written exchanges”).

Telephone recordings are not communicated to third parties unless provided for by statutory provision, or if this is necessary in connection with the management of your contractual relationship (e.g., you have made a complaint).

5.4.2 Emails and written email exchanges

The Bank uses various software programs for sending, processing and receiving emails. For sending emails, the Bank uses in transit encryption methods which are applied in accordance with the software sending the email and the content of the email, provided that the server receiving the email supports encryption.

In order to guarantee optimum security for the exchange of information, the Bank has set up a Secure Message Box on the application and the Transaction Website, which allows it to communicate directly and easily with its customers in relation to matters such as corporate actions, order execution problems, etc. Unlike email, sending communications via the Secure Message Box makes it possible to significantly limit the involvement of third parties in the sending and receiving process. Only Amazon Web Services is used for data hosting.

A general retention period applies to emails and other electronic exchanges (Secure Message Box), provided that there is no regulatory obligation to retain information for a longer period of time (see section "Retention period").

5.4.3 Hard copy correspondence

In general, the Bank favours electronic communications over hard copy correspondence. Nevertheless, the customer may express their preference for receiving certain information in hard copy (e.g., account statements).

For hard copy correspondence sent automatically (e.g. account statements, information to be sent to all customers in connection with a specific product), the Bank uses the services of Publimail.

For incoming correspondence, the Bank uses Merak’s scanning services. Once the correspondence has been scanned, the scanned version is sent to the Bank, which will deal with your correspondence. Hard copy correspondence shall be destroyed unless the Bank is required by law to retain the original.

A general retention period of one year applies to all hard copy correspondence, provided that a longer retention period is not legally justified.

5.4 Legitimate interests

The Bank also processes your data in order to pursue its legitimate interests. For this purpose, whenever it processes data, the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms.

For processing activities that are based on legitimate interest, you always have the right to object to processing. In this case, the Bank will no longer process your data for this purpose unless its rights take precedence over your fundamental rights and freedoms.

PD are thus processed for the purposes listed below.

5.5.1 Models, statistics

For the production of models (risk, marketing, forecasts and other) and statistics, the Bank always uses anonymisation techniques.

For the production of models and statistics, the Bank processes a number of data such as:

Transaction data in order to better understand use of its services with a view to improving them; monitoring the Bank's activities, in particular measuring sales, the number of calls and the number of people visiting the Transaction Website, as well as ascertaining the most frequently asked questions by customers, etc.

Data extracted from documents produced to analyse and predict the Bank’s exposure to risks and, if necessary, take measures to reduce this exposure.

5.5.2 Direct marketing

The promotion of products and services marketed by the Bank in compliance with regulations (see "Direct marketing"). The Bank has carried out a meticulous analysis to define both the products and services that may be the subject of direct marketing and also the customers to whom this marketing may be sent.

5.5.3 Staff training

Your interactions with the Bank which are retained may be anonymised for staff training purposes (telephone calls, email exchanges, etc.) Safeguarding property and people, combating fraud and attempted hacking, malpractice and other offences imply that images recorded by video-surveillance cameras are only saved in order to safeguard property and people and to prevent malpractice, fraud and other offences that may be committed against our customers or the Bank.

5.5.4 Social media and/or other platforms

When you interact with the Bank's content or one of the Bank's pages on social media platforms (such as Facebook, Instagram, TikTok or Snapchat), or when you leave a review on a platform specialised in collecting customer reviews (such as Trustpilot), the Bank may indirectly collect your PD. This information may include PD that are publicly available, such as your posts and interactions on our social media pages, the comments or messages you share with us (publicly or privately) and any other interaction you may have. The Bank will not use your private messages for advertising purposes.

However, please note that your PD are first processed by the social networks on which you have a profile. The Bank only has access to a small proportion of your PD held by social networks, and only processes these PD if you interact with our pages. If you would like to know how social media handles your PD, please read their privacy policies on the relevant social media channels.

Your PD will be processed for the following purposes: to respond to your questions, opinions and/or comments; to set up promotional campaigns relating to the Bank’s activities, products or services and to send the corresponding advertising; to carry out statistical analyses on the users who interact on our pages and to improve the functioning of our pages.

Furthermore, we consider it important to be aware of our customers’ experience with our services and products. Therefore, our customers may randomly receive an email request to leave a review on the verified and independent review platform Trustpilot. In this regard, the Bank may collect some of your PD, such as identification data or contact details, in order to correspond with you and answer any questions you may have.When you interact with the virtual assistant on our Website, the intention is not to collect PD. Please refer to the Website’s terms and conditions of use: https://www.keytradebank.be/fr/informations-legales

In some cases, the Bank will only process your PD if it has specifically obtained your consent to do so.

5.6.1 Cookies

Only functional (login) cookies and other similar technologies, which are necessary for the proper functioning of the Bank's Website, will be automatically enabled during your visit. Other cookies (statistical, advertising or tracking cookies) will only be activated if you have given your consent. You can find more information about how cookies work in our Cookie Policy (https://www.keytradebank.be/fr/usage-cookies/).

5.6.2 Competitions, games, events and seminars

Participation in games, competitions and events organised by the Bank also requires the processing of your PD. The Bank undertakes to process your data exclusively in connection with the organisation of the competition, game, event or seminar. Your data will not be used for the purposes of follow-up marketing.

In the event that the competition, game, event or seminar is organised by a third party or if the Bank calls on the services of a third party for its organisation, you will be informed of the transfer of your PD when you share them with us.

5.6.3 Surveys

We analyse the results of surveys conducted among our customers and prospective customers, as well as their views when they are in contact with us, in order to improve customer relations and our products and services.

Before taking part in a survey, we will ask for your consent and possibly ask you to sign a document for the use of images and recordings.

The Bank may call on the services of a third party to conduct the survey. In this case, the third party will have undertaken contractually to comply with regulatory provisions, and the Bank will have taken steps to ensure this (see section "our security system").

5.6.4 KEYHOME – Cardif and Ethias

For insurance linked to your mortgage loan, the Bank has entered into partnerships with Cardif for outstanding balance insurance and Ethias for fire insurance. If you give your consent, Cardif and Ethias may pre-complete the insurance form using the data you have already provided to the Bank

5.6.5 Direct marketing

Depending on the date on which you opened the bank account, you may or may not have needed to give your consent to receive direct marketing.

If you gave your consent to receiving direct marketing when entering into the banking relationship, the Bank will process your PD, and in particular your contact details, to send you direct marketing (opt-in). If you did not give your consent when entering into the banking relationship, the Bank will not send you any advertising communications or process your data for this purpose (opt-out).

If the Bank did not request your consent when the banking relationship was entered into, the Bank sends direct marketing on the basis of its legitimate interests (soft opt-in).

In practice, this means that you may be contacted in the following cases, for example:

About products or services in which you have shown an interest (for example, by registering for an information session or by performing a simulation of the product or service);

When the Bank markets products or services that, according to the Bank’s analyses, correspond to your needs;

The Bank analyses the results of its marketing activities to measure how effective its campaigns have been, in order to offer you more relevant services and products;

In connection with its direct marketing, the Bank may contact you via various communication channels (e.g., email, telephone (SMS and telephone calls), secure mailbox (via the Transaction Website), social networks, mail).The Bank will choose the most appropriate and least intrusive method of communication, depending on the purpose of the communication. The Bank favours email communications in order to inform you about existing or new products and services.

Any advertising communication sent by the Bank contains a link allowing you to easily withdraw your consent or to indicate specific preferences.

You can also indicate at any time that you no longer wish to receive direct marketing by logging on to the Transaction Website > Preferences > Personal Data > Communication. The Bank will never process your data if you have withdrawn your consent or have objected to the processing of your PD for marketing purposes.

The Bank does not send direct marketing if you do not have an active banking relationship with it (prospective customers and customers whose accounts have been closed are therefore excluded).

6. Cookies and similar technologies

Generally speaking, cookies are small data files stored on your device. They may have different functions. The Bank uses cookies, particularly on its Website and its Application in order to enhance its performance, to enable it to remember your preferences and to bring you information that the Bank thinks will be interesting or useful to you. The Bank also uses data saved by cookies to compile statistics for its Website and to ensure that its performance and content are improved.

For more information about the use of cookies, please read the Cookie Privacy Policy (https://www.keytradebank.be/fr/usage-cookies/).

7. Profiling and automated decisions

Profiling is the automated processing of your PD to assess certain personal factors, such as your interests or your personal preferences, etc.

In order to offer you certain products and services quickly and efficiently, your PD may occasionally be processed in an automated manner either fully or in part, which may result in a decision with legal effects or similarly significant effects on you. This is automated decision-making.

There are three forms of profiling:

  • Profiling in general (which has no legal effects on you);
  • Human decision-making based on the results of profiling (which has no legal effects on you);
  • A fully automated decision (which has legal effects or similarly significant effects on you).

7.1 Profiling in general

The Bank markets a wide range of financial products and services (savings accounts, investment services, pension savings, insurance, mortgage loans, consumer credit, etc.)In order to identify the products and services that actually correspond to your needs, the Bank implements profiling based on some of your PD.

Thanks to profiling, the Bank is able to write customised direct marketing and limit correspondence to communications which it believes are relevant to you. The products and services will remain accessible to all the Bank's customers, unless excluded by law, even if the profiling has not identified that the products correspond to the needs or interests of certain categories of customers.

You can object to profiling for marketing purposes at any time by logging on to the Transaction Website > Preferences > Personal Data > Communication. Each advertising communication also contains a link which allows you to easily object to profiling for marketing purposes.

The Bank also performs anonymous profiling for other purposes, such as:

  • For statistical purposes;
  • To better understand the behaviour and needs of the Bank's customers and to improve services;
  • to analyse the browsing behaviour of visitors to the Bank's Website.

Where the Bank uses profiling based on its legitimate interests, it will carefully assess the legitimate interest in advance to determine whether profiling activity is justified. It will also, in any event, take the necessary measures to minimise any impact on your rights and freedoms.

7.2 Human decisions based on profiling results

These occur when an application is made for a mortgage loan or credit card. The decision of the case manager to grant or refuse you a mortgage or loan will in part be based on the result of profiling carried out by an algorithm. This algorithm uses the data you have sent to us as part of your application for credit, as well external data (from the Central Individual Credit Register). This algorithm assesses your ability to repay the mortgage or loan you have applied for, and aims to enable the case manager to make a quick and non-discriminatory decision.

A fully automated decision is a decision made with regard to an individual using an algorithm applied to their PD without any human intervention in the process (Recital 71 and Article 22, GDPR).

This is the case with KEYHOME and KEYPRIVATE simulations, which are available on the Bank's Website. In the event of a rejection by the algorithm, for whatever reason, this is a decision that may have legal effects on you.

In some cases, the decision not to grant a credit or debit card is also made on the basis of a fully automated decision. The algorithm takes into account various elements of your application and consults the Central Individual Credit Register database to determine whether it should decline the application.

In the case of a fully automated decision, you will receive an immediate response to your application.

In all cases where an automated decision has legal effects or similarly significant effects on you, you have the right to request human intervention and to be provided with an explanation of the decision taken following this type of evaluation, and to potentially challenge the decision.

8. Retention period

As regards retention periods, a distinction should be made between active databases and archive databases. Customer data relating to their banking activity and the products they have taken out are kept in an active database for as long as they use the product and their banking relationship continues. As soon as all of a customer’s banking activities have ceased, all of their data are transferred to an archive database. When a customer no longer has a product, only the data for that product will be archived. When the data are placed in an archive database, the Bank no longer processes the data unless there is a regulatory obligation to do so, and merely retains the data.

The Bank ensures it does not store your personal data in the active database for any longer than the period necessary for the processing activity for which they have been collected.

When assessing the retention period of your PD in the archive database, the Bank takes into account the applicable regulatory requirements (e.g. requirements resulting from the AML-FT Act).

8.1 Prospective Customers

Your personal data (information relating to the opening of your account, as well as written and verbal communications) as a prospective customer will be held for a maximum period of one year. After this time, your data will automatically be deleted from our database.

8.2 Customers

The Bank applies several retention periods to PD, according to the applicable regulations and the documents concerned. Where a particular retention period applies to a document, this retention period is specified in the section relating to this document (reports).

In this section, you will find an explanation of the different retention periods that the Bank has selected, as well as the data to which the period applies.

8.2.1 Retention period for identification data

Your identification details will be kept for ten years from the date of closure of all your accounts with the Bank (Article 60 of the AML-FT Act). This period may be extended in certain cases, for example if you end your banking activity but have a current mortgage loan or in the event of a dispute (until the dispute is settled).

8.2.2 Retention period for telephone and written exchanges

The Bank applies a general retention period of one year for all communications (e.g., telephone exchanges, electronic and paper correspondence) that it has with its customers for evidentiary and quality analysis purposes, and provided that no regulation justifies longer retention of the data (see below).

The Bank relies on a statutory obligation (pursant to Article 6.1 c) of the GDPR, as well as Recital 39 of the same Regulation), and the fact that the first communications relating to a particular problem make it possible to better understand the origin and any solutions put forward by the Bank to justify the one-year period.

The Bank retains the means of proving that you have issued the relevant notification for eighteen months from said relevant notification in the event of loss, theft, misappropriation or any unauthorised use of your payment instrument (Article VII.39(3) of the Code of Economic Law).

You may request a copy of the telephone and written communications you have had with the Bank at any time, provided that you submit your request within the retention period indicated in this Policy. The Bank cannot be compelled to produce a document which it has deleted in compliance with the applicable regulatory deadline.

8.2.3 Retention deadline for transaction information

In accordance with Article 60 of the AML-FT Act, information relating to a particular transaction will be kept for a period of ten years from the date of the transaction.

Specifically, if your telephone call or written correspondence is categorised in our computer system as being related to a particular transaction within the meaning of Article 60 of the aforementioned Act, we will apply a ten-year period rather than the general one-year period.

8.2.4 Retention period for stock market orders

Any information that falls under the Market Abuse Regulation or MiFID will be kept for a period of at least five years.

Specifically, if you place an order on the stock market by telephone or in writing, the Bank will keep the data relating to this order for a period of at least five years from the date on which the order was placed on the stock market (instead of the general one-year period).

If you formally submit a complaint to the Quality Care Department, submit your complaint to Ombudsfin or a lawyer, or if your complaint is the subject of legal or arbitration proceedings, the Bank will retain the data relating to the complaint and/or legal proceedings for a period of ten years from the date of closure of the complaint or legal proceedings.

8.2.6 Retention period for data produced by the Bank (templates, statistics, etc.)

For statistics, models, lists of registrations for seminars and other data generated by the Bank on the basis of its customers’ data, a general two-year period is applied. The two-year period is justified because models and statistics must be empirically verified and potentially be refined on the basis of the findings made so that the Bank can continuously improve its services and better meet the expectations of its customers.

8.2.7 Retention period for video surveillance cameras

Data collected using surveillance cameras are retained for a shorter period (one month on a rolling basis for images recorded by surveillance cameras unless the content of an image justifies a longer retention period).

8.2.8 Retention period in connection with insurance

Data and documents collected in connection with insurance (and Branch 21 and Branch 23 life insurance) are kept for a period of ten years from termination of the mortgage loan contract to which the insurance relates or the UPPIE or KeyPension Blue insurance policy.

8.2.9 Retention period for a notification of loss, theft, misappropriation or any unauthorised use of a payment instrument

The Bank will retain for eighteen months, any notification relating to the loss, theft, misappropriation or any unauthorised use of your payment instrument, including if this is issued by telephone (in accordance with Article VII.39 of the Code of Economic Law).

8.2.10 Retention period in connection with the whistleblowing system

The Bank will keep the PD and the information you provide in the context of a whistleblowing report. PD that are clearly not relevant to the handling of a specific report are not collected or, if accidentally collected, are deleted without undue delay.

If measures are taken following the whistleblowing report, i.e., a decision is taken to draw the logical conclusions from the whistleblowing report, or if disciplinary proceedings or litigation are brought against the accused person or anyone who has made a wrongful report, all PD collected during the investigation may be retained until the end of the proceedings, up until statute-barring of the proceedings or until all remedies against the decision are exhausted.

PD collected in connection with a whistleblowing report which, on processing, does not give rise to any measures, must be destroyed or archived, after anonymisation, within two months of the completion of the verification operations.

8.2.11 Retention period for data from social networks and/or other platforms

The Bank will keep the PD obtained (directly or indirectly) via social networks or when you leave a review on our products, services or content on a platform specialised in collecting customer reviews.

PD from social networks will be retained until withdrawal of consent or for three years from the last contact of the individuals in question with the Bank.

PD obtained via a platform specialised in collecting customer reviews will be retained either for the period necessary to achieve the objective of the assessment of the quality of KTB’s products or services, or until the exercise of the right to object or withdrawal of consent, or for the term of the contractual relationship in the context of monitoring the customer relationship.

The virtual assistant on the Website is not intended to collect PD, and if you share PD notwithstanding the warning, they will be deleted.

9 Security measures for data management

9.1 Our security system

9.1.1 Monitoring the security of computer systems

The Bank takes the necessary measures to ensure that the confidentiality of your data is guaranteed. To do this, the Bank regularly checks that its computer systems guarantee an appropriate level of protection. In addition, the Bank authorises certain third parties to also monitor the security of the Bank’s computer systems.

9.1.2 Privacy by Design

For each project involving the processing of PD, the DPO Team checks compliance with the GDPR principles (e.g., processing only the data necessary for each specific purpose – Privacy by Default) and ensuring that the appropriate technical and organisational measures, in accordance with the rules in force and those recommended by the CMA Group, have been implemented (Privacy by Design). The project can only be marketed or published once validated by the DPO Team.

If the Bank identifies an incident posing a risk to your rights and freedoms, it ensures, in line with regulatory requirements, that it reports this to the Data Protection Authority (DPA) as soon as possible, that it informs the data subjects and immediately takes the necessary steps to minimise any damaging consequences that the incident may have for them.

9.1.3 Transfers to partners (data processor and separate data controller)

As you will have read in this Policy, for some services the Bank uses specialist partners who act as separate data processors or controllers (see also, the section "Who receives your PD?").The Bank ensures the protection of your PD by appropriate provisions in its contracts with these partners, and only uses partners which implement the appropriate technical and organisational measures. If necessary, the Bank supplements the partner's contracts and documentation with other suitable measures (e.g., as an annual questionnaire, on-site audits).

When PD need to be transferred to a partner, the DPO Team must examine the transfer before its implementation and ensure that the Bank only makes available to the partner the PD necessary to carry out its mission successfully (Privacy by Default).

Under no circumstances does the Bank share your PD with third parties without there being a specific purpose justifying the transfer of PD.

When the Bank works with data processors located outside the European Economic Area (EEA), it takes appropriate measures (e.g., a data protection impact assessment, additional technical, contractual or organisational measures), and uses the legal mechanisms offered by the GDPR (e.g., adequacy decisions, Standard Contractual Clauses), to ensure that your PD are duly protected in the country of destination. In this case, the Bank reasonably ensures that PD are processed with the same level of security as that required by the GDPR.

9.1.4 Internal access to your data

In accordance with the regulations, the Bank has put in place internal procedures (authorisation profiles) in order to restrict access by employees solely to those data strictly necessary for carrying out their work/tasks.

9.1.5 Staff training and awareness-raising

All Bank employees are made aware of PD protection issues through annual training. For example, the Bank ensures that its employees comply notably with the code of ethics setting out the instructions for the processing of PD.

9.2 Actions you can take

Data security is a matter for everybody.

You can also help keep your PD secure by following the advice below:

  • use the most recent operating system on your device and install all security updates;
  • use the most recent version of your web browser and install all security updates;
  • install antivirus software, anti-spyware software and a firewall, and adjust your preferences so that these safeguards are updated regularly;
  • do not leave your device or your login details unattended;
  • log off the Transaction Website and the app if you are no longer using these;
  • keep your codes confidential;
  • only log in from devices that you trust and do not use shared computers/devices for sensitive transactions.

The Bank will never ask you for your account numbers, debit or credit card numbers, passwords or codes by email or telephone (or text messages/the app, etc.) Therefore, never share this information by any means under any circumstances! If you call the Bank, it may need to identify you. It will do this by asking you some personal questions.

10.  Who receives your PD?

The Bank may pass on your PD to other CMA group entities affiliated with it, use service providers, or share some of your PD with our recipients to the extent necessary (e.g., our internal departments) and authorised in accordance with the legislation in force and for the specific purposes described above.

In some cases, we are required to disclose or share your PD in order to fulfil any legal obligation or to protect the rights, property or security of the Bank, or third parties:

  • to the Belgian market and supervisory authorities, to similar foreign authorities, to the Belgian or foreign tax authorities when the Bank is required to communicate your PD (e.g., in the context of reporting);
  • to the relevant authorities or partners with which the Bank works on the financial markets (FSMA, CTIF, LiquidMetrix, ProCapital);
  • to the National Bank of Belgium, for example, in connection with loans granted to you (only for legal entities) and to the Central Individual Credit Register;
  • to the Deposit Guarantee and Resolution Fund;
  • to the Caisse des dépôts et consignation (Deposit and Consignment Office) under the legislation on dormant accounts;
  • to the European Central Bank, in particular in connection with compliance with the final rules of Basel III and reporting obligations to the companies to which these bank receivables have been assigned or allocated;
  • to Crefius in connection with mortgage loan applications;
  • to public, administrative or judicial authorities, such as the police, prosecutors, regulators, courts, and this, only at their express request (or, for example, in connection with a cyber incident) as well as out-of-court mediation services;
  • to process servers or any authority with jurisdiction to carry out attachments;
  • to lawyers, notaries (for example, in the case of a mortgage loan or an inheritance), guardians, or interim administrators;
  • to those individuals specifically responsible for managing whistleblowing reports within the Bank;
  • to the government agencies legally authorised to access/obtain your PD;
  • to the beneficiaries of bank receivables assignment or allocation transactions;
  • to those third-party stakeholders who have a legitimate interest therein in connection with transactions for the assignment or allocation of receivables (including mortgage loans on real estate) such as, for example, rating agencies, external auditors;
  • to third-party custodians or data managers in connection with bank receivables assignment or allocation transactions, or to investors who have invested in securities issued as a result of an assignment or allocation of bank receivables.

In other cases, the Bank calls upon third parties to provide you with services to which you have subscribed or in order to process your PD. For example, this may mean:

  • specialised providers in the financial sector or payment service providers (for example: SWIFT, Euroclear, ING, correspondent banking institutions in foreign countries, Oberthur Technologies, The Netherlands BV, Monext, a French simplified joint stock company, VISA Belgium SCRL, Inter Partner Assistance SA, equensWorldline, Bancontact, Maestro).
  • service providers who assist the Bank in: designing and maintaining its tools; IT service providers (Amazon Web Services); marketing its activities, organising events and managing communications with customers (e.g., Onespan NV); development and/or management of products and services (e.g., Merak NV/SA, Belgian Mobile Wallet NV/SA, CodaBox SA, Paylead, Publimail). In this case, the Bank ensures that these third parties only have access to the PD that they need to complete the specific tasks required. The Bank also ensures that its data processors undertake to process PD securely and confidentially, and use them in accordance with its instructions.
  • ProCapital and Saxo Bank: for brokerage, securities custody, including securities transactions;
  • Insurance companies in connection with partnerships (e.g., Cardif, Ethias);

And lastly, in the case of a restructuring transaction (including the total or partial sale of assets, merger, takeover, acquisition, demerger and, more generally, any operation relating to reorganisation of the Bank), we may transfer some of your PD to a third party involved in the transaction, in accordance with the GDPR. And lastly, the Bank may share your PD to achieve one of the specific purposes set out in this Policy.

11. What are your rights?

11.1  Right to information

You have the right to obtain clear, transparent and comprehensible information about how the Bank processes your PD and how to exercise your rights. This information is contained in this Policy. If this information is not clear enough, please contact us (using our contact details in the Policy).

11.2 Right of access

You have the right to obtain confirmation that PD concerning you are being processed or not and, where they are being processed, to access said personal data. You have the right to obtain a copy of your PD, unless exercising this right infringes the rights and freedoms of others. (see point 'How can you exercise your rights?')

11.3 Right to rectification

The Bank takes all necessary measures to ensure that your PD are correct, up-to-date, complete and relevant. For this reason, the Bank asks you to keep it informed of any changes (new home address, new identity card, acquisition of a new nationality, etc.)

However, you can also amend some of your PD yourself by logging on to the Transaction Website > Preferences > Personal Data > Communication, or by using the Application > Plus > Extra > Settings > Personal Data.The Bank consults the National Register in relation to certain PD amendments made by you. This is because the Bank must ensure that the change made matches information held in official databases.

For PD that you cannot change yourself on the Transaction Website or on the Application, you also have the right of rectification in the event of an error or omission. To exercise this right, you may send an email to dpo@keytradebank.com, clearly specifying the reasons why you think the data should be corrected and attaching any documents that show this to be the case.

If the Bank corrects your PD which it had previously shared with a third party, it will also notify the third party.

11.4 Right to be forgotten

In some specific cases, the regulations allow you to have your PD deleted from the Bank's database.

This is the case, in particular, if the data are no longer necessary to achieve the specific purposes for which the Bank collected them, if the processing of your data is based solely on your consent and you decide to withdraw it, or if you have objected to the processing of your data and there are no legitimate grounds for the Bank which take precedence over yours (for example, because you provided your PD with a view to submitting an application for a mortgage loan that you did not ultimately take out).

However, the Bank may store your PD when they are needed for establishing, exercising or defending its rights in court, or for the Bank to comply with its statutory obligations (see section "Retention period").

11.5 Right to restrict processing

This right of objection enables you to ask the Bank to temporarily stop processing your PD in specific cases defined by regulations.

You can ask for your data to be blocked:

  • when the data in question are inaccurate, incomplete, ambiguous or out of date, for the amount of time needed to enable the Bank to check the accuracy of your data;
  • when collecting, processing, disclosing or storing them is prohibited;
  • when the data are no longer needed to achieve the purposes of processing;
  • for the period of time needed by the Bank to assess the merits of an objection request.

If you have exercised this right, the Bank may store your data but it will no longer be able to process them unless you provide your consent to do so, or for the establishing, exercise or defence of its rights (or the rights of another person) or in cases provided for by the regulations.

11.6 Right to data portability

By virtue of this right, you may ask the Bank to send your PD to you or to send them directly to another data controller, where this is technically possible for the Bank. This right only applies to PD which you yourself have supplied to the Bank and which are automatically processed on the basis of the contract or your consent. You can submit a request using the following form.

When your PD are processed because you have provided your consent, you have the right to withdraw this consent at any time (see Section 'How can you exercise your rights?'). However, withdrawing your consent does not call into question the legality of the processing carried out during the period before you withdrew your consent.

11.8 Right to object

You have the right to object, for reasons relating to your particular circumstances, to any processing of your PD which is based on the Bank's legitimate interests. However, the Bank will be unable to grant your request if there are legitimate and overriding reasons that prevail over your interests, rights and freedoms, or if the processing of your PD is required in order to establish, exercise or defend its rights in court.

Furthermore, you always have the right to object, without justification and at no cost, to the processing of your PD for marketing purposes (see section "Direct marketing"). If you do so, your PD will no longer be used for this purpose.

12. How can you exercise your rights?

Customers can send their request from their authenticated email address (i.e., either the email address they provided when opening their account, or any email address they provided subsequently which has been validated by the Bank) to dpo@keytradebank.com, without having to attach a copy of their identity card, to dpo@keytradebank.com.

If you no longer have access to your authenticated email address or are not a customer, to exercise your rights, you must send your request to the Bank together with a legible copy of the front and back of your identity card by emailing dpo@keytradebank.com.

Following receipt of a complete request from you, the Bank will assess its validity. If you are entitled to exercise the right invoked, it will take the necessary action as swiftly as possible.

In all cases, the Bank will respond to you within one month. If your request is complex, the Bank will inform you within one month and will contact you again with the information requested within a maximum additional period of two months.

If you request any copies or additional information when exercising your right to access your PD, the Bank may charge you a reasonable amount for administrative costs.

13. Who should you contact in the event of a complaint?

Should you have any complaints about how your PD are processed, you may submit an application for mediation to the Belgian Data Protection Authority at the following address:

Autorité de Protection des Données [Belgian Data Protection Authority] Rue de la Presse/Drukpersstraat 35 B-1000 Brussels Tel: +32 2 274 48 00 Email address: contact@apd-gba.be