ClearBank Europe: Privacy notice

Your privacy is important to ClearBank Europe N.V. ("ClearBank", "we", "us" and "our"). We are committed to protecting your personal data and being transparent about the personal data we hold and use and, wherever possible, giving you control over how we use your personal data.

Privacy and data protection are an integral part of our systems and services. ClearBank is ISO 27001 certified and maintains a number of security measures to protect your personal data. These include data access controls with respect to ClearBank personnel and ClearBank customers including two factor authentication, encryption of confidential and personal data, monitoring, data loss prevention controls and IT security policies. Your personal data is backed up in different locations and audit logs record user and system activities, exceptions, and information security events. Our personnel undergo regular data protection training and are required to adhere to data protection, confidentiality, and IT security policies and our third party service providers are bound by contractual obligations with regards to data protection, confidentiality, and IT security.

The following serves as our notice at collection of personal data in accordance with applicable law.

We are ClearBank Europe N.V., a company registered in the Netherlands that offers financial services to other companies, our clients. If you are a customer or user of one of our clients or a transaction is made which you are part of, we process your personal data as data controller. We also process your personal data as data controller if you use our website or if you communicate with us. It is important that you read the privacy statement carefully so that you are aware of how and why we use your personal data and what your rights are.

If you have any queries regarding this notice or the way in which we process your personal data, please contact our data protection officer at:

Email: [email protected]

Address:

Data Protection Officer

ClearBank Europe N.V.

Keizersgracht 391 A, 1016EJ Amsterdam, the Netherlands

We may make changes to this notice from time to time to reflect any changes in the ways in which we process personal data or any changes in data protection laws. Any material changes and updates to this notice (being a change in processing purposes, a change to the identity of the controller, or a change as to how you can exercise your rights in relation to our processing) will be communicated to you and posted on the ClearBank Website (www.clear.bank). Please check this notice regularly so that you are aware of any changes.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes or if you become aware that any personal data that we hold is not accurate.

3.1 The term 'personal data' is understood to mean all information that can be traced back to a person who can be identified (directly or indirectly), such as a first and last name, telephone number, postal and electronic addresses, date of birth, payment information and bank details. Data that cannot be traced back to a person (anonymous data) is not considered personal data.

3.2 We offer our services to our clients. For this reason, we most often receive your personal data via our clients. For example, when you make a transaction via one of our clients or if you are involved in such a transaction. If you work for one of our clients, we may receive your personal data from your employer for business reasons such as making contact or concluding an agreement. We can also receive the personal data from yourself, for instance when you contact us. If we receive personal data from third parties, we will inform you of this in the overview below.

3.3 We will only process your personal data when we have a legal ground to do so. Thus, we will only process your data when this is necessary (i) for the establishment and execution of an agreement with you that involves the provision of our services, (ii) to comply with our legal obligations (e.g. regulatory obligations), or (iii) to pursue our own legitimate interests (but always on the condition that your interests and fundamental rights do not outweigh our legitimate interests).

3.4 If we want to process personal data and cannot base this on one of the aforementioned legal grounds, we will always ask for your prior consent to such processing (and only if this is possible and allowed under the GDPR). You can withdraw your consent at any time, either in the same way you consented or by contacting us. Where we obtain your consent to send you marketing communications, you can unsubscribe by following the unsubscribe link within the communication. Upon withdrawal of your consent, we will stop processing your personal data for the purpose for which you withdrew your consent. The withdrawal of your consent does not affect the lawfulness of the processing operations that we carried out before the withdrawal.

3.5 We do not intend to process special categories of personal data. If a special category of personal data is processed directly or indirectly via the transaction details, this is regarded as incidental processing, and our activities are not intended to process this information. The information will be considered to have been made voluntarily public by you.

Some of this information is “sensitive personal information” under the California Consumer Privacy Act (CCPA). We do not use or disclose sensitive personal information for purposes other than those that are exempt from the Right to Limit the Use or Disclosure of Sensitive Personal Information under the CCPA.

3.6 The situations in which we may process your personal data are listed below. You can also read which personal data we process for a certain purpose, on which legal basis we do this and how long we will keep your personal data for that purpose. We have made a distinction between your role as data subject:

3.6.1 In chapter 4, we explain which data we process if you are our client or an employee, shareholder or representative of one of our clients.

3.6.2 In chapter 5, we explain which data we process if you are making a transaction via ClearBank via one of our clients (directly or indirectly) or if you are involved in such a transaction.

3.6.3 In chapter 6, we explain which data we process via our website or if you contact us.

If you are our client, our client's employee, director, officer, shareholder or representative of our client, we can process your personal data. In the table below, we specify which personal data we process for the various processing activities.

If you directly or indirectly use our services via one of our clients, for example when you use a ClearBank account via our client or if your transaction is cleared by us for our client, we can process your personal data. In the table below, we specify which personal data we process for the various processing activities. If you wish to know if your personal data has been processed by us, please verify this with the party which provided you an account or where you conducted the transaction. It may be described in their privacy notice.

If you visit our websites or if you contact us via the website or by other means, we can process your personal data. In the table below, we specify which personal data we process for the various processing activities.

7.1 If the table above states that we need to process your personal data to comply with the law or to perform an agreement with you or an agreement you concluded with one of our subsidiaries or clients, we may not be able to provide you with the full ClearBank services if you refuse to provide us with the required personal data. If we need your consent to process the required personal data, we may not be able to provide you with the full or part of the ClearBank services if you refuse to give your consent and provide the required personal data.

8.1 Where necessary, ClearBank Europe N.V. will share data with other ClearBank group entities including ClearBank Limited and ClearBank Group Holdings Limited. Data processed by any ClearBank group entity will receive the same safeguards and level of protection as data processed by ClearBank Europe N.V.

9.1 Where necessary for the purposes described above and only where permitted by law, we may share your data with external parties, such as (IT) service providers, advisors, external auditors, marketing agencies, intermediaries, parties that provide support services for our internal and external compliance processes, competent supervisory authorities, law enforcement agencies, and other parties set out in the table below, described in this chapter or as otherwise notified to you or agreed between you and us from time to time.

9.2 We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed in chapters 3 to 6 does so under agreement with us and has policies and procedures in place to ensure compliance with data protection laws.

9.3 We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed in chapters 3 to 6 does so under agreement with us and has policies and procedures in place to ensure compliance with data protection laws.

9.4 We will remain the data controller responsible for the processing of your personal data notwithstanding that third parties may operate as a joint controller with us. For some processing activities we may act as a processor for a third party and, in such circumstances, the third party will be responsible for providing you with the processing information required under data protection laws.

9.5 We may share your personal information with third parties where we are required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry by DNB or other authorities), with our accountant to conduct audits or create financial reports or with courts and lawyers in connection with legal proceedings (including where we believe that your actions violate applicable laws or any agreement with us).

9.6 In the event that our business or any part of it is sold or integrated with another business and if necessary, your details may be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business. Your personal data will be anonymized where reasonably possible.

10.1 Our websites may link or redirect to other websites, social media accounts or other content which is not under our control. Such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this notice.

10.2 If you access such third party websites, please ensure that you are satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website operated by any third party.

11.1 Your information may be transferred to and/or stored on the servers of third parties identified in the table above which are based in the UK and other countries outside the EEA. From time to time it may also be necessary for us to transfer your information internationally including to fulfil your request, process a transaction, or otherwise as required in the provision of the ClearBank services.

11.2 However, we will not transfer your personal data outside of the EEA unless:

11.2.1 such transfer is to a country or jurisdiction which the EU Commission has approved as having an adequate level of protection; or

11.2.2 appropriate safeguards are in place in accordance with data protection laws. These safeguards can include the use of standard contractual clauses or binding corporate rules, copies of which you may request by contacting our data protection officer); and

11.2.3 any data importer provides us with relevant sources and information relating to the destination country or territory and the laws applicable to the transfer in that destination country in order to substantiate the matters set out in 11.2.2; or

11.2.4 the transfer is otherwise allowed under data protection laws (including where we have consent, the transfer is necessary for important reasons of public interest, is necessary for the establishment, exercise or defence of legal claims or is necessary for the performance of a contract with the data subject).

11.3 We will ensure that where your personal data is transferred outside of the EEA, the data importer will be contractually obliged to:

(a) ensure your personal data it is afforded the same protection as would be afforded to it within the EEA; and

(b) keep us informed of any development affecting or likely to affect the level of protection your personal data receives in the importer’s country.

12.1 For as long as we process your data, we follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. All information you provide to us is stored on our secure servers.

12.2 It is important that you keep secure and confidential any login credentials that you have for the ClearBank Website and/or ClearBank Portal. You are responsible for maintaining the security and confidentiality of such login credentials. You should notify us promptly if you become aware that the security or confidentiality of your login credentials is compromised.

13.1 Our websites and portals use cookies as detailed in the Cookie Policy.

14.1 In accordance with the GDPR, you have the right to access, rectify and delete your personal data, the right to restrict and object to the processing of your personal data and the right to data portability.

14.2 Below you will find more details and information on how and when to exercise your rights:

• The right to access your personal data. This gives you the right to receive a copy of the personal data we process about you, in order to check whether the data is correct and whether we process it lawfully.
• The right to request that your personal data be corrected or updated. You can have any incomplete or incorrect personal data that we hold amended or completed.
• The right to request the deletion of your personal data. You can request deletion of your personal data, but only if:
  • your personal data are no longer needed for the purposes for which they were collected;
  • you withdraw your consent if the processing of your personal data is based on consent and no other legal basis exists;
  • you object to the processing of your personal data and we do not have a compelling legitimate ground for processing;
  • your personal data are processed unlawfully; or
  • your personal data must be removed to comply with a legal obligation.

If we grant your request, we will, to the extent reasonably possible, inform the parties with whom we share your personal data. 

• The right to object to the processing of your personal data. If we process your personal data on the basis of a legitimate ground for processing, you may object to us processing your personal data for such legitimate ground. We will comply with your request, unless our legitimate interest outweighs your interests or if we need to continue processing your personal data to establish, exercise or defend a legal claim or to comply with our legal obligations.
• The right to restrict the processing of your personal data. You can request us to restrict the processing of your personal data, in the event that:
  • the accuracy of your personal data is disputed by you, during the period in which we need to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the deletion of your personal data and request its restriction;
  • we no longer need your personal data for the purposes of processing, but your personal data are necessary for you in the context of a legal claim; or
  • you have objected to the processing, during the period in which we have to verify compelling legitimate grounds.
• The right to data portability. You can request us to receive your personal data and/or to send it to a third party, as far as this is feasible. You only have this right if it concerns personal data that you have provided to us and the processing is based on consent or based on the necessity for the performance of our contract with you.

14.3 As stated in our Notice at Collection, we do not "sell" and "share" (as such terms are defined in the CCPA) personal data. We do not knowingly sell or share personal data about individuals who are under the age of 16.

14.4 We do not take decisions based solely on automated processing.

14.5 Additional rights for data subjects in France.

If you are residing in France, you benefit from the following additional rights under French law:

• Age of Consent: The minimum age of consent for processing personal data in France is 15 years old. If you are under 15, processing based on consent requires authorisation from the holder of parental responsibility.

• Right to Post-Mortem Instructions: You have the right to define instructions regarding the retention, deletion, and communication of your personal data after your death. 

  These instructions may be:

  • General instructions registered with a CNIL-certified trusted digital third party; or
  • Specific instructions concerning data processed by ClearBank Europe.

  You may designate a person responsible for executing these instructions. In the absence of designation, your heirs may exercise these rights. To provide post-mortem instructions, please contact: [email protected]

14.6 For further information, or to exercise any particular right, please contact us at [email protected]. 

15.1 We take our data protection obligations seriously. If you have any questions or complaints about this notice or the way that we handle your personal data, we would appreciate the chance to deal with your concerns in the first instance before you approach the relevant data protection authority. Please contact us using the details provided in chapter 1 above.

15.2 You have the right to make a complaint at any time to any relevant supervisory authority for data protection issues, including, in the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (https://www.autoriteitpersoonsgegevens.nl)

If you are a data subject in France, your complaint may also be submitted, at any time, to the French Data Protection Authority (CNIL) at www.cnil.fr.

The CNIL may cooperate with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) under the GDPR's cooperation and consistency mechanisms.