Privacy Statement ING Corporate Cards - ING Bank N.V.

General
This privacy statement provides information about the personal data ING Bank N.V. in the Netherlands ('ING') processes for its corporate card service delivery. ING concludes corporate card programmes with business clients. Under these programmes, corporate cards are issued to employees ("cardholders") of business clients. Cardholders can pay with their corporate card for business expenses they make during the performance of their job.

This privacy statement only applies to the processing of personal data related to cards that ING issues under its corporate card programmes with business clients. It does not deal with cookies and similar technologies that the corporate card website and app may use to gather personal information on users from their computer, smartphone, tablet or other device. The corporate card website and app provide their own statement that informs on the online gathering of personal data.

Compliance with data protection laws and regulations ING must comply with data protection laws and regulations applicable to it. One of the duties data protection laws impose on ING is the duty to inform individuals on ING's processing of their personal data. This statement does just that.

In addition, ING must comply with all other data protection duties data protection laws and regulations impose on it. This means, among others, that ING will only process personal data for specific purposes and on the basis of a legal ground for legitimate processing of such data. If applicable data protection laws require that ING obtains consent of an individual, then ING will obtain such consent prior to collecting and using the individual's personal data.

Personal data ING collects and uses
ING collects and uses the following personal data:
- Name, (email) address, date of birth, or phone number of cardholders, programme administrators and legal representatives of business clients.
- Transaction information per cardholder such as location, amount, merchant category code, and information on failed and rejected transactions. If agreed with the business client, additional transaction details may be collected.
- Information on the spending limit on a card.
- In case of Individual Pay account number and information on outstanding payments of cardholders.
- Telephone conversations between programme administrators and cardholders on the one hand and the customer helpdesk on the other hand. If a law or regulation applicable to the cardholder prohibits the recording of telephone conversations, then ING will not record such conversations.

Purposes for collecting and using personal data
ING collects and uses personal data for the following purposes:
1. Performing the corporate card contract and services.
- Personal details of legal representatives, program administrators and cardholders are processed to enter into and perform the corporate card contract with the business client. To enable the client to manage its business expenses, ING provides the business client with statements and an online tool showing corporate card transactions performed and the total amount spent per cardholder.
- ING processes personal details of cardholders and transaction information to issue corporate cards to cardholders, process payments to merchants, provide cardholders with a statement, an online tool and an app detailing their transactions. The app informs them on how much they can still spend with their card. For Individual Pay ING processes the account numbers of cardholders to collect from their accounts the amounts spent with their cards or debit their accounts for such amounts. 
- If a programme administrator or cardholder calls the customer helpdesk with a question or request, ING asks for address and/or date of birth to verify the identity of the programme administrator or cardholder.
2. Compliance with know-your-customer laws and regulations. To comply with anti-money laundering and anti-terrorism financing laws and regulations ING screens names and transactions of cardholders against pre-defined screening lists globally. Screening of names and transactions is mandatory. This is stipulated in various applicable laws and regulations on the subject of fighting Financial Economic Crime (FEC) including various sanctions regimes which have an extraterritorial reach. ING is part of the chain of law enforcement on fighting Financial Economic Crime in all its variations, e.g. sanctions and Anti Money Laundering.
3. ING may monitor, record, store and use telephone calls to the customer helpdesk, email or other forms of electronic communication for the following purposes:
- To prevent, detect and investigate fraud or crime.
- Assessing the quality of its services.
- Training, coaching and assessment of the call center's employees. If a law or regulation applicable to ING prohibits the recording of telephone calls, then ING will not record such calls. ING may provide records of telephone calls and electronic communications to authorities to comply with laws and regulations and to its unit in charge of security matters and/or its employees responsible for monitoring compliance with corporate rules and regulations.

No marketing to cardholders
ING does not advertise and market products and services of ING or third parties to cardholders.

Transfer of personal data to third parties
To perform its corporate card services ING makes use of several service providers. ING only transfers personal data to these service providers to the extent they need it to perform their services. The service providers are located in the European Union. Some of the service providers have a parent company in the United States. This means that ING may transfer personal data to the United States. However, ING takes care that transfers to the United States comply with the requirements of data protection laws and regulations applicable to it. All service providers are data processor of ING, except for MasterCard Europe S.A. who acts as a data controller in processing card payments for ING.  

Storage period
ING retains personal data only:
- For the period required to serve the purposes for which the personal data are collected and used.
- To the extent reasonably necessary to comply with an applicable legal requirement.
- As advisable in light of an applicable statute of limitations.

Security
ING has implemented appropriate, and commercially reasonable, technical, physical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and all other unlawful forms of processing. To achieve this, ING has implemented technology risk standards and other relevant policies and processes on the security of personal data.

Right of access, rectification, and deletion
To request an overview, rectification, or deletion of your personal data or to file a complaint on ING's personal data processing you need to send a letter, accompanied by a photocopy of a valid identity card, to:

ING afdeling Klant Events/WBP
Antwoordnummer 40060
8900 SB Leeuwarden
The Netherlands

Modification of privacy statement
ING keeps its privacy statement under regular review. Please check this statement from time to time for any changes. This privacy statement was last updated on 1 December 2015.

 

 

ING Bank N.V. has its registered office at Bijlmerplein 888, 1102 MG Amsterdam, the Netherlands, commercial register no. 33031431 in Amsterdam. ING Bank N.V. is registered with De Nederlandsche Bank (DNB) and the Financial Markets Authority (AFM) in the Credit Institutions and Financial Institutions Register. ING Bank N.V. is also subject to the supervision of the Authority for Consumers & Markets (ACM). For more information regarding the supervision of ING Bank N.V., please contact DNB (www.dnb.nl), the AFM (www.afm.nl) or the ACM (www.acm.nl).