Privacy

Who is this Privacy Statement intended for?

Is your company a client of ours or have you contacted us for information on our products and services? Have you or your business applied for one of our products? Are you a Partner, Director, Shareholder, Person with Significant Control, or Beneficial Owner of one of our clients? Are you a guarantor or security provider for one of our clients? Are you a supplier or an intermediary? Do you work for one of our clients or a supplier?

We will process your personal data or that of your related individuals for the purpose of carrying out business with you, for example when we record and use personal data relating to contact persons at companies to which we provide services and with whom we are in correspondence, partners, directors, shareholders, persons with significant control, guarantor(s), security providers beneficial owners (BOs) of these companies, and also directors of associated businesses, directors of any intermediaries and contact persons at equipment suppliers.

If you are one of the people listed above, this Privacy Statement is intended for you too.

Our contact person for your questions about data protection

We have a designated Data Protection Officer. The designated Data Protection Office for all ABN AMRO businesses in the UK is The Head of Compliance, ABN AMRO UK, 5 Aldermanbury Square, London EC2V 7HR.

Who controls your personal data?

The controller of your personal data is: ABN AMRO Asset Based Finance N.V.incorporated and registered in The Netherlands (registered number 30099465) and acting through its branch office ABN AMRO Asset Based Finance N.V., UK Branch, registered in England and Wales with UK establishment number BR 016670, hereinafter referred to as ABN AMRO.

What is personal data?

Personal data is information that says something about you. The best known forms of personal data are your name, address, email address, age and date of birth. Personal data also includes your bank account number, your phone number, your IP address and your national insurance number.

There are several special categories of personal data. These include data concerning your health. Another special category concerns biometric data, such as facial recognition or your fingerprints. We may only use this personal data if this is permitted by law or if consent for this is obtained. In all other situations, we are prohibited from using this personal data.

Personal data that we obtained from third parties

Businesses may contact us for information on products or services and may provide us with information which relates to you. In that case, we may use the data we ask for that concerns you, the business, partners, directors, shareholders, persons with significant control, guarantor(s), security providers beneficial owners, directors of associated businesses and directors of intermediaries and other suppliers. We may also decide to use personal data obtained from other sources, such as:

• public registers that contain personal data, such as Companies House;

• public sources such as newspapers and, the internet;

• data files from other parties that have collected personal data about you, such as intermediaries, external marketing firms or credit agencies.

On what basis do we process your personal data?

Obviously, we may not request or use your personal data without good reason. We are allowed to do this only if the processing is based on one of the “grounds” permitted by law. This means that we may only use your personal data for one or more of the following reasons:

Contract

We may need your personal data to conclude a contract for example with a business that you represent. Are you the representative of your business and has your business concluded, or does it want to conclude, a contract with us? Or are you the contact person, partner, director, shareholder, managing director or beneficial owner (BO) of this business? Are you a representative of a supplier or an intermediary? If so, we may use your personal data for other reasons than the performance of the contract.

Legal obligation

The law lays down many rules that we have to comply with. These rules state that we have to record data relating to our clients and personal data in relation to related individuals, and occasionally provide it to others. The following are just some examples of the legal obligations we have to comply with:

• We have to take steps to prevent and combat fraud, tax evasion, terrorist financing and money laundering. These include asking you and your related individuals to provide proof of identity so that we know who you are. This is why we keep a copy of identity documents.

• We have legal obligations under the Money Laundering Regulations 2017 and related legislation, and other laws that require us to keep personal data,.

Other organisations may occasionally ask us to provide personal data. These organisations include law enforcement agencies, government entities, tax authorities or regulatory bodies around the world (including the Department of Business, Enterprise, Innovation and Skills in connection with an application under the Small Firms Loan Guarantee Scheme or the Enterprise Finance Guarantee Scheme or similar scheme).

If the law, regulation or other supervisory authority requirements stipulate that we must record or use your personal data, we are required to do so. In that case, it does not matter whether you are a client of ours or not. For example, we must check whether clients, and the representatives of clients, are genuinely who they say they are. In addition, we must keep a record of personal data items for all partners, directors and signatories. We are not required to establish your identity if we only use your personal data because you are the payee of a payment made by one of our clients.

Legitimate interest of ABN AMRO or others

We also have the right to use your personal data if we have a legitimate interest in doing so. In that case, we must be able to demonstrate that our interest in using your personal data outweighs your right to data protection. We must balance all interests. Here are a few examples of when this might happen:

• We protect property and personal data belonging to you, to us and to others.

• We protect our own financial position (for example, by undertaking financial risk assessments), your interests and the interests of other clients (for example, in the event of an insolvency).

• We carry out fraud detection activities so that clients and ABN AMRO do not suffer losses as a result of fraud.

• We keep you up-to-date on product changes and send you information, offers and other relevant news for your business by means of direct marketing.

• We aim at organising ABN AMRO efficiently. We may centralise our customer and business management systems, make use of other service providers, and conduct statistical and scientific research.

Even if you do not have a contract with us, we may still use your personal data on the basis of a legitimate interest. In that case, we will obviously first check whether this is permitted, for instance for fraud prevention purposes. We assess whether we may use personal data for marketing purposes on a case-by-case basis, and separately for each type of personal data and for each group of data subjects. We ensure that we do this in accordance with the law and the subject matter of this Privacy Statement.

What does ABN AMRO use your personal data for?

We use your personal data to help make our operations and our services as effective, reliable and efficient as possible. This is done for the following purposes:

1. Contract. We enter into contracts with the business you represent or are related to and perform these contracts. We use this information for assessing and accepting clients, carrying out financial (including credit) risk assessments, risk reporting and risk management, as well as carrying out payment transfers. If we do not have the relevant personal data to verify the structure of the company, we cannot offer your company our products. We may also use personal data to trace debtors and recover debt.

2. Research. Within ABN AMRO, we study possible trends, problems, root causes of errors and risks, for instance to check whether new rules are properly observed. This helps us prevent complaints and losses. We also perform analyses with respect to personal data for statistical and scientific research.

3. Better or new products and services. Do our products still meet your wishes and expectations? We carry out research in this area and may use your personal data to do this. We study trends and use personal data with the aim of analysing and continuing to develop our products and services.

4. Marketing. You receive offers from us and other members of the ABN AMRO Group, and news that is appropriate for your business. In this context, we use personal data that we received from you or your business, for instance because you requested information in the past or because your business is already a client of ours. We may also make use of personal data that we obtained from other parties.

5. Security and the integrity of ABN AMRO and our sector and compliance with legal obligations. We are required to guarantee the security and integrity of the financial sector, ABN AMRO, our employees, our clients and related individuals.. We may therefore use your personal data to prevent or combat attempted or actual criminal acts, such as fraud or terrorism.

6. Social responsibility and legal obligations. Given the nature of our business, we play a key role in society. We help to prevent terrorist financing, money laundering and fraud, for instance by reporting unusual transactions or by identifying and stopping potentially fraudulent transactions and verifying transactions with you if necessary. We are also required to know our customers and carry out checks on their identity and structure. For businesses, this includes obtaining personal information on Partners, Directors, Beneficial Owners, Persons with Significant Control, Guarantors, Directors of Associated Businesses and Directors of any Intermediaries. This helps us to understand your business better, and to protect the financial sector, ABN AMRO, our employees, our clients and related individuals from attempted or actual criminal acts. Public authorities also ask us to provide personal data when they investigate problems or suspected criminal offences. In this context, we check whether it is a legitimate request. The banking and financial sector is a highly regulated industry. This means we have to comply with many rules. Besides European and UK rules, these rules also include the laws of other countries. ABN AMRO must therefore also record and keep personal data for this purpose, and sometimes also provide personal data to the competent authorities. We always check first whether this is permitted.

Additional rules apply to special categories of personal data. Where we require any such information we will confirm to you the purpose for which this is required and will request your consent where consent is required.

Other purposes

We may use your personal data for other purposes than the purpose for which you or your business supplied the personal data to us. In that case, the new purpose must be in line with the purpose for which you or your business initially provided your personal data to us. The law refers to this principle as ‘compatible use of personal data’. The law does not specify exactly when a use is compatible, although it does provide guidance.

• Is there a clear correlation with the purpose for which you initially provided the personal data? Is the new purpose appropriate to the initial purpose?

• How did we originally receive the personal data? Did we obtain the personal data directly from you or in another way?

• What kind of personal data are we talking about exactly? Is the personal data in question considered sensitive to a greater or lesser degree?

• How would you be affected? Would you benefit, suffer or neither?

What can we do to ensure the highest possible level of protection for your personal data? Examples include anonymisation and encryption.

ABN AMRO Group and your personal data

We may share your personal data within our group in the UK and abroad for internal back-office purposes or with a view to improving our services to you, or providing you with information on other relevant products and services provided by other members of our group, or because the law requires that we do this. For instance, it may be important for us to know when you apply for a product offered by one part of the ABN AMRO group on behalf of your business, that your business has already accepted a product from another one of our subsidiaries. Other members of the ABN AMRO group may also contact you with information on other relevant products and services.

Using personal data with or without your consent

In most cases, ABN AMRO uses your personal data without obtaining your consent for this. This is permitted by law. We do this because:

• this is necessary because of the contract we have with you or that we intend to conclude with you or your business, for example if you are the sole proprietor of such business;

• the law requires us to obtain, use or hold your personal data;

• ABN AMRO or a third party has a legitimate interest.

Sometimes, however, we are required to ask you for your consent. Before you give consent, we recommend that you carefully read the information we provide concerning the use of your personal data. If you have given consent and you want to withdraw this consent, you can do that very simply.

We make use of cookies and similar technology on our websites and/or in client portals. For more details, see our Cookie Statement. Personal information is captured to allow us to improve our online services to you.

Good to know

When we use your personal data on the basis of the law or a legitimate interest, we do not require your consent to use your personal data. In such cases, however, you may raise an objection.

Required personal data

If we need personal data from you in order to conclude a contract with your business and you or the business refuses to provide this data even though this is required by law, we cannot enter into a contract with your business. If a contract already exists, we must terminate our contract with your business.

Do you want us to remove your personal data from our systems? Unfortunately, we cannot remove required personal data. We need this data, for instance for the performance of the contract you have with us, or because we are required to keep this data by law or owing to a legitimate interest of ABN AMRO.

Camera images, telephone calls, chat messages and video chat sessions

If you visit us, we may capture images of you on camera. We do this for security purposes. We may also record your telephone calls with us. We do this for the purpose of improving our services or because of a legal obligation and for the prevention and detection of crime. We handle video and audio recordings with due care. They are subject to the same rules as other personal data. You may exercise your rights, such as your right of access. Information about all your rights can be found here.

Other parties using your personal data

There are situations in which we need to provide your personal data to other people and entities involved in the provision of our services. These are described below.

Our service providers

We work with other companies that help us provide services to us and our clients. This is referred to as outsourcing. We are not permitted to pass your personal data on to them without good reason. This is governed by legal rules. We therefore carefully select these companies and clearly agree with them on how they are to handle your personal data. We remain responsible for your personal data held by us or on our behalf.

Intermediaries

We also work with intermediaries who introduce clients and business to us. Such intermediaries process your personal data and are responsible for how they use your personal data. Please visit the relevant intermediary's website to find out how it handles personal data.

Competent public authorities

Our supervisory authorities, law enforcement agencies, government entities, tax authorities or regulatory bodies around the world may ask us to provide data relating to you. The law specifies when we are required to provide this data.

Purchasers

In the event that we propose to transfer your contract to a third party Financial Services Provider, we may share personal information with the proposed transferee of your contract, to allow decisions to be made relating to that transfer and for the purposes of that transfer. This is within the legitimate interests of ABN AMRO, and to allow any such transferee to meet their legal requirements.

Use of your personal data for direct marketing purposes

If your business has previously purchased a product or service from us, or has provided a service or introduced a client, we are keen to keep you informed about similar products and services we offer that are relevant to your business’ or clients’ needs. This also applies if you are a visitor to our website. In order to do this properly, we use various sources. These are described below.

1. The personal data that we received from your business or a third party in the context of the contract, service, introduction, or request for information on our products and services..

2. Other sources of information, including public sources. We will always check first whether a public or other source of information can be used reliably.

3. Third party referrals by suppliers, intermediaries, existing and former client and contacts.

If your business has previously purchased a product or service from us, or has provided a service or introduced a client, we are keen to keep you informed about similar products and services we offer that are relevant to your business’ or clients’ needs. This also applies if you are a visitor to our website. In order to do this properly, we use various sources. These are described below.

1. The personal data that we received from your business or a third party in the context of the contract, service, introduction, or request for information on our products and services..

2. Other sources of information, including public sources. We will always check first whether a public or other source of information can be used reliably.

3. Third party referrals by suppliers, intermediaries, existing and former client and contacts.

Social media

We use social media channels to publicise our organisation, products and/or services with clients, users of portals and visitors to the website. We do this so that we can offer useful, relevant information and/or answer questions we receive through social media. We use the internet and social media channels, such as LinkedIn and Twitter, for this purpose. If you have any questions or comments, please write to us: GDPR.AAL.UK@abnamroabf.com.

Security

We go to great lengths to ensure the highest possible level of protection for your information:

• We invest in our systems, procedures and people.

• We make sure that our working methods are in keeping with the sensitive nature of your information.

• We train our people how to keep your information safe and secure.

For security reasons, we are unable to provide details of the precise measures we take. But you may have come across some of the following procedures we use to protect your personal data:

• Security of our online services

• We follow a rigorous process to establish your identity (authentication)

• Requirements for sending confidential documents

Security is our shared priority. If, for example, you encounter breaches in our security, you can report them to us confidentially by sending an email to: security@abnamroabf.com.

Personal data outside Europe

Personal data is processed outside Europe too. Additional rules apply in that case, the reason being that not all countries have the same strict data protection legislation as we do in Europe. View the list of safe countries.

Sharing personal data within the ABN AMRO Group

We may share personal data outside Europe with other group companies. Our sharing of personal data is governed by our global internal policy, the Binding Corporate Rules (BCRs). These have been approved by the Dutch Data Protection Authority (Dutch DPA).

Sharing personal data with other service providers

We may occasionally share personal data with other companies or organisations outside Europe, for instance in the context of an outsourcing agreement. In that case, we ensure that either the country has adequate equivalent protections, or that we have concluded separate agreements with those parties, and that these agreements comply with the European standard.

How do we determine the period for which your personal data is stored?

We keep personal data in any event for as long as is necessary to achieve the purpose.

The General Data Protection Regulation does not stipulate specific storage periods for personal data. Other legislation may specify minimum storage periods, however. If it does, we are under the obligation to observe these periods. Such legislation includes tax laws or laws governing financial undertakings specifically.

If we become involved in a lawsuit or other legal proceedings, we keep personal data so that we can make a case for our position. We may store this personal data in an archive until any claims have expired and legal proceedings can no longer be brought against us.

What rights do you have?

Right to object to processing for direct marketing purposesIf you no longer want to receive offers for our products and services, you can unsubscribe at any time. All marketing messages include this possibility, and you can follow the link at the bottom of the marketing messages to exercise this right easily.

Right to object to profiling

It may be the case that you do not want us to use your personal data for profiling. Sometimes, however, we are allowed to do this, for instance to prevent fraud, manage risks or investigate unusual transactions, even if you object to the processing of data. In such situations, we will of course comply with the law.

Right of access, right to rectification, right to be forgotten, right to restriction of processing

• You have the right to demand an overview of all data relating to you that we

• If your personal data is incorrect, you can ask us to change your personal data.

• You can also ask us to temporarily restrict our use of personal data. You can do that if:

• You can ask us to erase your personal data at any time. We are not always able to do this, however, and we do not always have to agree to this, for example if we are required by law to keep your personal data for a longer period of time.

• You think the personal data is incorrect;

• We are not supposed to use your personal data;

• We want to destroy your personal data but you still need it (for instance after the storage period has ended).

To exercise any of these rights please contact The Data Protection Officer, ABN AMRO Asset Based Finance N.V., UK Branch, 5 Aldermanbury Square, London, EC2V 7HR

Right to data portability

According to the General Data Protection Regulation, individuals have a new right. The right to data portability. This right applies when personal data of the individual is used to carry out a contract where the individual himself and not the business it represents is party to that contract, or when the individual has been asked for his or her consent for the processing of the data. ABF concludes an agreement with the business you represent or are related to and not with you individually. For this reason (except in limited circumstances where you may be a sole trader or sole director of a company) this right does not apply to you as a contact person at companies to which we provide services and with whom we are in correspondence, partner, director, shareholder, person with significant control, guarantor, security provider or beneficial owners (BOs) of these companies, and also directors of associated businesses, directors of any intermediaries.

Questions about our Privacy Statement?

Do you have a complaint or want to ask a question?

Please contact us if you have any questions about the Privacy Statement: GDPR.AAL.UK@abnamroabf.com. We will be happy to help you. The Data Protection Officer, ABN AMRO Asset Based Finance N.V., UK Branch, 5 Aldermanbury Square, London, EC2V 7HR . If you do not agree with the way in which you handle your personal data, you can lodge a complaint with the Complaints Management department, ABN AMRO Asset Based Finance N.V., UK Branch, 5 Aldermanbury Square, London, EC2V 7HR; or contact us electronically by using the contact form found on the ABN AMRO website.

You also have the right to take your complaint to the Information Commissioner’s Office (ICO).If you are still unhappy with the response, or your complaint has not been resolved within a reasonable period, you may raise a concern with the Information Commissioner’s Office (ICO). You should raise your concerns with the ICO within 3 months of your last meaningful contact with us. The ICO can be contacted electronically on their website at or by telephone on 0303 123 1113

Changes to the Privacy Statement

Changes to the law or our services and products may affect the way in which we use your personal data. If this happens, we will make changes to our Privacy Statement and notify you of these changes. We will post any changes on our website or in the app.

Client Rights

In our privacy statement you will find which rights you have and what they contain. You will also find information on what personal data we process and for which purpose we use the personal data.

When you exercise your right to information or your right to data portability the requested data will be exchanged digitally via a secured environment.

You can exercise your client rights by sending an e-mail to: GDPR.AAL.UK@abnamroabf.com

Please formulate your question as precise as possible and attach a copy of your passport. Make sure your Social Security Number is completely invisible to us. We will send you a response as soon as possible.

Glossary of key terms

The Data Protection Officer monitors the application of, and compliance with, the GDPR within ABN AMRO. The privacy statement states that you can put questions about the use of your personal data to the Privacy Office in a number of specific cases.

Biometric data: a collection of techniques used to measure and identify an individual's physical characteristics, such as facial recognition or voice recognition. We may use biometric applications for identification purposes, among other things.

Special categories of personal data: data that is so sensitive its use may seriously affect an individual's privacy. The GDPR provides the following list of special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical believes, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Profiling: The GDPR defines profiling as: “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Profiling is therefore permitted by law. This is a general definition that also applies to other controllers within the meaning of the GDPR. The bank will not use your personal data to evaluate your performance at work or your health.

EU list of adequate countries: The European Commission has identified a number of non-EU countries that are considered to offer a similar level of protection. The European Commission publishes a list of such countries on its website.

EU model clauses: These are standardised contractual clauses drafted by the European Commission. ABN AMRO Group also uses these standardised contractual clauses if it is required to transfer personal data to a country that does not offer the same level of protection as EU countries.

Dutch Data Protection Authority: the data protection authority in the Netherlands.

Group: ABN AMRO Group N.V. and its direct and indirect subsidiaries and branches and other entities in which ABN AMRO Bank N.V. has a majority stake. For the purpose of this privacy statement, a majority stake means that ABN AMRO Bank N.V. holds more than 50% of the shares in the relevant entity.

Guarantor: A guarantor is required to fulfil a client's financial obligations towards the bank if the client fails to fulfil them. The guarantor gives this undertaking in a contract that the guarantor concludes with the bank.

UBO: The UBO is the person who is the ultimate beneficial owner of a business or institution or who controls that business or institution.

Processing: Personal data processing is a broad concept that encompasses everything that can be done with personal data. “Using”, “destroying” and “providing” are forms of processing. The privacy statement refers to both the processing and use of personal data.