Privacy Statement ING Corporate Cards - ING Bank N.V.
General
This privacy statement provides information about the personal
data ING Bank N.V. in the Netherlands ('ING')
processes for its corporate card service delivery. ING concludes
corporate card programmes with business clients. Under these
programmes, corporate cards are issued to employees
("cardholders") of business clients. Cardholders
can pay with their corporate card for business expenses they make
during the performance of their job.
This privacy statement only applies to the processing of personal data related to cards that ING issues under its corporate card programmes with business clients. It does not deal with cookies and similar technologies that the corporate card website and app may use to gather personal information on users from their computer, smartphone, tablet or other device. The corporate card website and app provide their own statement that informs on the online gathering of personal data.
Compliance with data protection laws and regulations ING must comply with data protection laws and regulations applicable to it. One of the duties data protection laws impose on ING is the duty to inform individuals on ING's processing of their personal data. This statement does just that.
In addition, ING must comply with all other data protection duties data protection laws and regulations impose on it. This means, among others, that ING will only process personal data for specific purposes and on the basis of a legal ground for legitimate processing of such data. If applicable data protection laws require that ING obtains consent of an individual, then ING will obtain such consent prior to collecting and using the individual's personal data.
Personal data ING collects and uses
ING collects and uses the following personal data:
- Name, (email) address, date of birth, or phone number of
cardholders, programme administrators and legal representatives of
business clients.
- Transaction information per cardholder such as location,
amount, merchant category code, and information on failed and
rejected transactions. If agreed with the business client,
additional transaction details may be collected.
- Information on the spending limit on a card.
- In case of Individual Pay account number and information on
outstanding payments of cardholders.
- Telephone conversations between programme administrators
and cardholders on the one hand and the customer helpdesk on the
other hand. If a law or regulation applicable to the cardholder
prohibits the recording of telephone conversations, then ING will
not record such conversations.
Purposes for collecting and using personal data
ING collects and uses personal data for the following
purposes:
1. Performing the corporate card contract and services.
- Personal details of legal representatives, program
administrators and cardholders are processed to enter into and
perform the corporate card contract with the business client. To
enable the client to manage its business expenses, ING provides the
business client with statements and an online tool showing
corporate card transactions performed and the total amount spent
per cardholder.
- ING processes personal details of cardholders and
transaction information to issue corporate cards to cardholders,
process payments to merchants, provide cardholders with a
statement, an online tool and an app detailing their transactions.
The app informs them on how much they can still spend with their
card. For Individual Pay ING processes the account numbers of
cardholders to collect from their accounts the amounts spent with
their cards or debit their accounts for such amounts.
- If a programme administrator or cardholder calls the customer
helpdesk with a question or request, ING asks for address and/or
date of birth to verify the identity of the programme administrator
or cardholder.
2. Compliance with know-your-customer laws and regulations. To
comply with anti-money laundering and anti-terrorism financing laws
and regulations ING screens names and transactions of cardholders
against pre-defined screening lists globally. Screening of names
and transactions is mandatory. This is stipulated in various
applicable laws and regulations on the subject of fighting
Financial Economic Crime (FEC) including various sanctions regimes
which have an extraterritorial reach. ING is part of the chain of
law enforcement on fighting Financial Economic Crime in all its
variations, e.g. sanctions and Anti Money Laundering.
3. ING may monitor, record, store and use telephone calls to the
customer helpdesk, email or other forms of electronic communication
for the following purposes:
- To prevent, detect and investigate fraud or crime.
- Assessing the quality of its services.
- Training, coaching and assessment of the call center's
employees. If a law or regulation applicable to ING prohibits the
recording of telephone calls, then ING will not record such calls.
ING may provide records of telephone calls and electronic
communications to authorities to comply with laws and regulations
and to its unit in charge of security matters and/or its employees
responsible for monitoring compliance with corporate rules and
regulations.
No marketing to cardholders
ING does not advertise and market products and services of ING or
third parties to cardholders.
Transfer of personal data to third
parties
To perform its corporate card services ING makes use of several
service providers. ING only transfers personal data to these
service providers to the extent they need it to perform their
services. The service providers are located in the European Union.
Some of the service providers have a parent company in the United
States. This means that ING may transfer personal data to the
United States. However, ING takes care that transfers to the United
States comply with the requirements of data protection laws and
regulations applicable to it. All service providers are data
processor of ING, except for MasterCard Europe S.A. who acts as a
data controller in processing card payments for
ING.
Storage period
ING retains personal data only:
- For the period required to serve the purposes for which the
personal data are collected and used.
- To the extent reasonably necessary to comply with an
applicable legal requirement.
- As advisable in light of an applicable statute of
limitations.
Security
ING has implemented appropriate, and commercially reasonable,
technical, physical and organisational measures to protect personal
data against accidental or unlawful destruction or accidental loss,
alteration, unauthorised disclosure or access and all other
unlawful forms of processing. To achieve this, ING has implemented
technology risk standards and other relevant policies and processes
on the security of personal data.
Right of access, rectification, and
deletion
To request an overview, rectification, or deletion of your
personal data or to file a complaint on ING's personal data
processing you need to send a letter, accompanied by a photocopy of
a valid identity card, to:
ING afdeling Klant Events/WBP
Antwoordnummer 40060
8900 SB Leeuwarden
The Netherlands
Modification of privacy statement
ING keeps its privacy statement under regular review. Please check
this statement from time to time for any changes. This privacy
statement was last updated on 1 December 2015.
ING Bank N.V. has its registered office at Bijlmerplein 888, 1102 MG Amsterdam, the Netherlands, commercial register no. 33031431 in Amsterdam. ING Bank N.V. is registered with De Nederlandsche Bank (DNB) and the Financial Markets Authority (AFM) in the Credit Institutions and Financial Institutions Register. ING Bank N.V. is also subject to the supervision of the Authority for Consumers & Markets (ACM). For more information regarding the supervision of ING Bank N.V., please contact DNB (www.dnb.nl), the AFM (www.afm.nl) or the ACM (www.acm.nl).