Data Protection Statement of CG Bank NV
This Data Protection Statement comes into effect on 02-05-2023.
CG Bank NV operates under the trading name CG Brussels in the Brussels-Capital Region.
Preliminary: the salient changes in this version of the data protection
(formerly privacy) statement
CG would draw your attention to the most important changes in this data protection statement of CG Bank NV.
- Addition with regard to who to turn to if you have any complaints (see 2.10)
- Clarification with regard to the termination of the customer relationship within the scope of anti-money laundering, taxation
(see 3.1), fraud and ethical principles (see 3.3)
- Clarification with regard to the support and advisory services for businesses (see 3.2)
- Clarification with regard to the granting and the use of Kate Coins (see 3.2)
Table of contents
1 Part 1: We must work together to safeguard your privacy...........................................................................................................................3
1.1 This data protection statement applies to the processing of personal data collected by CG Bank NV through an agent, a branch, CG Live or the
CG apps or from other sources ................................................................................................................................................................................ 3
1.2 CG Bank NV and the other members of the CG group take care in how they handle your personal data ............................................................. 4
2 Part 2: Your right to privacy ........................................................................................................................................................................4
2.1 You can access your data........................................................................................................................................................................................... 4
2.2 You can have your data corrected ............................................................................................................................................................................. 4
2.3 You can have your data erased.................................................................................................................................................................................. 4
2.4 You can object to your data being processed for certain purposes........................................................................................................................... 4
2.5 You don’t want CG to process your personal data to send you direct marketing.................................................................................................... 5
2.6 You can contest a decision taken by automated means............................................................................................................................................ 5
2.7 You can ask for your data to be transferred to a third party ..................................................................................................................................... 5
2.8 You can ask for processing of your data to be restricted........................................................................................................................................... 5
2.9 How you can exercise your rights.............................................................................................................................................................................. 5
2.9.1 CG customers..........................................................................................................................................5
2.9.2 Platform users, prospects, property owners............................................................................................6
2.10 You can lodge a complaint............................................................................................................................................................................... 6
3 Part 3: CG Bank has many reasons for processing your personal data........................................................................................................6
3.1 CG Bank NV must comply with laws, legal requirements and public order.............................................................................................................. 6
3.2 CG Bank NV has to be able to judge whether it is feasible to contract an agreement or service ............................................................................ 8
3.3 CG Bank NV processes personal data based on a legitimate interest .................................................................................................................... 10
3.4 CG will request your consent to process your personal data in certain cases........................................................................................................ 13
3.5 CG Bank NV uses your personal data for direct marketing .................................................................................................................................... 14
3.5.1 Direct Marketing contract for personalised advertising........................................................................ 14
3.5.1.1 Who is offering the personalised agreement? .................................................................................. 14
3.5.1.2 What are CG’s legal grounds for using your personal data? ........................................................... 14
3.5.1.3 What type of data processing is needed in order to provide the requested services? .................... 15
3.5.2 Personalised commercial messages, with your consent....................................................................... 16
3.5.2.1 Commercial messages about financial products and services (occasionally referred to as
‘personalised information’) ............................................................................................................................... 16
3.5.2.2 Commercial messages about non-financial products and services................................................... 16
3.5.3 Limited personalised commercial messages, based on a legitimate interest....................................... 16
3.5.4 Marketing for platform users ................................................................................................................ 17
3.5.5 Marketing based on your click and browsing behaviour....................................................................... 17
3.5.6 Marketing to prospects ......................................................................................................................... 17
3.5.7 What if you do not wish to receive personalised advertising (or less of such advertising)? ................ 17
Public
3.6 CG will not sell your personal data......................................................................................................................................................................... 17
4 Part 4: CG Bank NV processes different types of data ..............................................................................................................................17
4.1 Identification, data linked to a service and personal particulars ............................................................................................................................. 17
4.2 Data from third parties............................................................................................................................................................................................ 18
4.3 Your current location can be important................................................................................................................................................................... 18
4.4 CG can process information your share with its staff............................................................................................................................................. 19
4.5 Monitoring CG correspondence in written form.................................................................................................................................................... 19
4.6 Recording telephone, video and chat conversations............................................................................................................................................... 19
4.7 Temporary storage of security camera images........................................................................................................................................................ 20
4.8 Transaction details................................................................................................................................................................................................... 20
4.8.1 Specific services CG provides to you based on your transaction data ................................................ 20
4.9 More than just your own personal data may be involved. ...................................................................................................................................... 20
5 Part 5: About cooperation, confidentiality and security.............................................................................................................................20
5.1 Not everyone at CG can look at your data ............................................................................................................................................................. 20
5.2 Data processed by CG data processors.................................................................................................................................................................. 21
5.2.1 Processors within the CG group........................................................................................................... 21
5.2.2 Processors and third-party joint controllers characteristic of the financial sector............................... 21
5.2.3 Other processors ................................................................................................................................... 21
5.3 Processing by other data controllers ....................................................................................................................................................................... 22
5.3.1 Other controllers ................................................................................................................................... 22
5.3.2 Voice Assistants..................................................................................................................................... 23
5.4 CG Bank NV processes your data on behalf of third parties................................................................................................................................... 23
5.5 CG Bank NV takes specific measures to protect your data..................................................................................................................................... 23
5.6 CG does not keep your data for ever ..................................................................................................................................................................... 23
5.7 Data transfer outside the EEA.................................................................................................................................................................................. 24
5.7.1 Personal data transfer within CG......................................................................................................... 24
5.7.2 Processors outside the EEA ................................................................................................................... 24
5.7.3 Data transfer to controllers outside the EEA......................................................................................... 24
5.8 CG thinks before it answers queries from outside parties..................................................................................................................................... 24
5.8.1 Compliance with confidentiality obligations......................................................................................... 24
5.8.2 Ombudsfin must apply to CG Complaints Management..................................................................... 25
5.8.3 Third parties must contact the ‘Third-Party Enquiries’ department..................................................... 25
5.9 You can also help in protecting your data................................................................................................................................................................ 25
-
1 Part 1: We must work together to safeguard your privacy
Your privacy is very important to us. Our aim is to process personal data in a manner that is lawful, fair and transparent. In this data
protection statement, we explain which of your personal data we collect from you as natural person and then process.
We define several categories of individuals whose personal data we collect and process:
o CG customers (have entered into a contract with CG for banking and/or insurance products such as a bank account or
an insurance policy)
o Platform users (are not CG customers but do use CG’s additional services in the CG Mobile app)
o Prospects (are not CG customers and may or may not be platform users but are linked to CG, for example, as a
stakeholder or beneficiary)
o Owners of one or more immovable properties in Belgium.
1.1 This data protection statement applies to the processing of personal data collected by
CG Bank NV through an agent, a branch, CG Live or the CG apps or from other
sources
We recommend that you read this information carefully, so that you know the purposes for which CG may use your data. This data
protection statement also contains more information about your data protection rights and how you can exercise them.
CG Bank NV may make changes to this data protection statement. The most recent version is always available at
www.kbc.be/privacy. CG Bank NV will notify you of every all-important change to the content via its websites, Bolero Online, the
CG Mobile app, CG Touch, the Bolero App or other communication channels.
Public
We also recommend that you read the CG cookie policy when you use one of CG’s digital solutions, such as the CG website
or a CG application. It explains what cookies are, which ones CG uses, how you change your cookie preferences and how CG
protects your privacy. The cookie policy can always be found in the digital solution itself. For example, you can consult the cookie
policy for the CG website at www.kbc.be, at the bottom of the web page.
1.2 CG Bank NV and the other members of the CG group take care in how they handle
your personal data
CG Bank NV is a bank with operations in Belgium and a number of other countries worldwide. CG Bank NV’s head office is at
Havenlaan 2, 1080 Brussels. CG Bank NV is part of the CG group (also ‘CG’ in the following), which is an ‘integrated bankinsurance group’, i.e. CG is a group of companies that, through close cooperation, create and distribute banking, investment and
insurance products, and provide financial services.
The CG group principally focuses on retail customers, SMEs and high net worth customers, and mainly operates in Belgium, the
Czech Republic, Slovakia, Hungary, Bulgaria and Ireland. In addition, the CG group operates via companies and entities in a
selection of EEA and non-EEA countries. CG Bank has legal branches in various places including Germany, the Netherlands,
France, Ireland and Italy. For example, outside the European Union, this concerns countries or cities such as the United Kingdom,
the United States, China, Singapore and Hong Kong. These may have their own data protection statement, which differs from this
data protection statement. CG also works with parties outside the European Economic Area. You can read more about this in 5.7.
More information on the activities of CG Bank NV and the CG group is available at www.kbc.be.
CG Bank NV is the controller of personal data in the context contemplated in this data protection statement.
Aside from that, CG Bank NV also processes personal data on behalf of other CG group entities, such as where CG Bank NV
acts as an intermediary for CG Insurance or CG Asset Management. In cases such as those, CG Bank NV processes the data
of customers, insured persons and beneficiaries under insurance policies and under employee profit-sharing bonus programmes
of those other CG group entities. In so doing, it follows instructions issued by that other CG group entity, which acts as data
controller.
CG Bank NV also processes personal data together with other CG group entities as joint controllers. You can read more about
this in 3.5
If there are good reasons for doing so, such as are explained in this part 3, CG may also make data available to other CG entities,
whether in Belgium or elsewhere. Or it can process this data if it has been collected lawfully from another CG entity (in Belgium
or elsewhere), Naturally, this is only possible provided there is no legal impediment, such as a confidentiality obligation or a provision
of the data protection legislation.
2 Part 2: Your right to privacy
You have a lot of rights when CG processes your data. When CG Bank NV asks your consent to do processing, you may
subsequently withdraw that consent again whenever you see fit.
2.1 You can access your data
If you want to access the data concerning you that is processed by CG Bank NV, let us know. Some data can be accessed directly
by you, such as in the CG Mobile app, CG Touch, Bolero Online or the Bolero App.
If you exercise your right of access, CG will give you as complete a list as possible of your data. It can happen that some personal
data from files such as the usual back-up files, logs and stored/archived records (e.g., the existence of a consent) is not included
in that list, Such data is not within scope of the data processed on an ongoing basis and is therefore not immediately available. It
is possible to request access to data separately (e.g., cookie data).
In certain cases, anti-money laundering legislation prohibits CG from giving you access to the personal data about you that CG
processes. For example, CG cannot give you access to an anti-money laundering investigation. The law prohibits this, because
the release of such information could compromise the investigation. In such cases, you may request further information by e-mailing
dataprotection@kbc.be.
2.2 You can have your data corrected
It can happen that certain information held on you by CG Bank NV is not (or no longer) correct. You can ask for the data to be
corrected or completed at any time.
Customers of Bolero services can change certain details themselves by navigating to the settings menu in Bolero Online and the
Bolero App, as well as managing their communication preferences.
2.3 You can have your data erased
You can ask CG Bank NV to erase your personal data. If CG no longer has an overriding ground for processing your personal
data, CG will erase it. A legal requirement may prevent the erasure.
2.4 You can object to your data being processed for certain purposes
If you disagree with how CG Bank NV invokes its legitimate interests to process certain data, you can object to such use. We will
heed objections unless there are overriding grounds not to do so, such as when we process data with a view to combating fraud.
Below, you will find the main types of personal data processing operations based on the legitimate interest to which you can object: 
Public
Developing models for commercial purposes Customers, platform
users
Range of products (see 3.3) Customers, owners
Testing for application development Customers, prospects,
platform users
Direct marketing (see 2.5) Customers, platform
users
Direct marketing for representatives of legal persons Customers, prospects
Commercial profiling Customers
You are, of course, free to object to any specific processing of personal data at any time (see 2.9).
If you do not specify the reasons for your objection, CG will interpret your query broadly.
2.5 You don’t want CG to process your personal data to send you direct marketing
It is possible that you don’t want CG to process your personal data at all in order to send you direct marketing. CG respects that.
Simply e-mail mypersonaldata@kbc.be, drop in at your CG branch or your CG agency or contact our staff at CG Live. If you
are a platform user, CG will also ask you for the mobile phone number you used to register with CG.
But even if you exercise your right to object to direct marketing, you might still see an advertising message on a digital solution by
CG or through another channel. This may be a general advertising message, for which CG does not process customers’ personal
data, or to send notifications from the browser regarding the Private Banking newsletter (for which you can withdraw your consent
at any time), or a personalised advertising message for which we only process your cookie data. If you don’t want the latter, you
can withdraw your consent to the collection of these cookie data and them being used for sending customised commercial
messages. You can find out how to do this in our cookie policy.
2.6 You can contest a decision taken by automated means
Some data processing operations and processes are fully automated, without any human intervention. Some automated decisions
will have a greater impact you than others, for instance in the case of a credit decision or insurance underwriting. In most cases,
CG calculates these profiles only for customers requesting or using a certain service that requires the use of these profiles (see
3.3 for more information about customer profiles). In other cases, CG calculates these profiles in advance.
CG will then inform you on the screens or in the terms of use of its own applications that it concerns an automatically generated
decision before asking for your personal data. CG Bank discloses the logic of this automatically generated decision and its
consequences at the moment of processing itself via a link to the ‘Annex to the CG Data Protection Statement – automated
decision-making’,
which you will also find at www.kbc.be/privacy.
If you are dissatisfied with the result of such a fully automated decision, you can contact CG Bank NV via CG Live or any CG
branch. You can, for example, ask a CG staff member to intervene or tell them why you disagree with the decision and request to
view the decision taken.
Automated decision-making is often based on an underlying customer profile.
2.7 You can ask for your data to be transferred to a third party
You are entitled to ask CG for personal data that you yourself have provided to CG with your consent or in the process of
performing a contract to be transferred back to you or to a third party.
Legislation lays down a number of limitations to this right, as a result of which it does not apply to all data.
2.8 You can ask for processing of your data to be restricted
In some cases, you may ask CG to restrict processing of your personal data. Exercise of this right is conditional. You can exercise
your right to restricted processing:
– during the period needed by CG to verify the accuracy of your personal data if you challenge the accuracy of personal data
concerning you that CG processes;
– where processing is unlawful but you do not want the personal data erased;
– when CG no longer has a purpose for processing the personal data but still needs it in connection with a legal claim;
– pending CG’s reply to whether CG’s legitimate interest weighs more importantly than yours when you have exercised your right
to object to processing for which CG invokes its legitimate interest as legal cause.
2.9 How you can exercise your rights
Depending on the type of customer you are (see Part 1), you can exercise your rights in various ways.
2.9.1 CG customers
Be as specific as possible when you exercise your rights. CG Bank NV can only properly answer queries couched in sufficient
detail. CG Bank NV will need to be able to verify your identity in case someone else tries to exercise your rights. CG may therefore
ask for a copy of your identity card when you make such a request. If you are a platform user, CG will also ask you for the mobile
phone number you used to register with CG.
If you have a question or a comment, you can go to your CG branch, your CG Insurance agent or e-mail them to 
Public
mypersonaldata@kbc.be. This is your first resort for all enquiries regarding data protection.
You can consult, amend or terminate the use of certain data yourself via CG Touch, the CG Mobile app, Bolero Online, the
Business Dashboard, CG 4 Business or a branch ATM.
If you would like more information or if you do not agree with the standpoint adopted by CG Bank NV, be sure to visit the website
of the Belgian Data Protection Authority, www.dataprotectionauthority.be. You can also lodge complaints there.
In some cases, you can also exercise your rights directly against third parties. That applies, for instance, to the databases that the
National Bank of Belgium (www.nbb.be) maintains, such as its Central Individual Credit Register, its Central Corporate Credit
Register and the NBB Central Point of Contact.
2.9.2 Platform users, prospects, property owners
You can also exercise your rights if you are a platform user, prospect or property owner. To do so, please send an e-mail to
mypersonaldata@kbc.be, stating your name, the telephone number you used to register in the application and, if applicable, the email address.
2.10 You can lodge a complaint
If you have a complaint concerning exercise of your rights, CG Complaints Management will be happy to look into it.
• CG Complaints Management, Brusselsesteenweg 100, 3000 Leuven, or via e-mail (complaints@kbc.be).
• Also via CG’s electronic channels CG (including the CG website, CG Touch, Bolero Online and the Bolero App).
You can also always contact the ‘Data Protection Officer’ at CG Bank NV by writing a letter to CG Bank NV, Group Data Protection
Unit (Group Compliance), Havenlaan 2, 1080 Brussels, sending an e-mail to dataprotection@kbc.be.
If you would like more information or if you do not agree with the standpoint adopted by CG Bank NV, be sure to visit the website
of the Belgian Data Protection Authority, www.dataprotectionauthority.be. You can also lodge complaints there.
3 Part 3: CG Bank has many reasons for processing your
personal data
These reasons have been grouped according to the applicable legal basis.
3.1 CG Bank NV must comply with laws, legal requirements and public order
Mandatory reporting to the National Bank of Belgium
• Financial institutions are required by law to share certain information relating to their customers and proxy holders with the
Central Point of Contact of the National Bank of Belgium, de Berlaimontlaan 14, 1000 Brussels, Belgium (www.nbb.be).
Consequently, CG is required to share information regarding its customers’ and proxy holders’ identities and their
financial contracts, including information relating to:
o the opening and closing of accounts, and powers of attorney for those accounts, including the date and the
account number;
o cash transactions;
o the conclusion and termination of financial contracts and the applicable dates, such as: contracts for safe-deposit
box rental, specific investment services, loans, including mortgage loans, repayment loans and open-ended credit
facilities.
o The account balances and financial contracts.
• If any information registered with the Central Point of Contact by CG is incorrect, you can request that it be corrected or
removed.
• The Central Point of Contact registers the information and keeps it for a period of ten years for tax investigation, verification
and collection of certain receipts, investigation of criminal offences, to combat money laundering and the funding of terrorist
activities and major crimes, solvency investigation in the event of collection of confiscated amounts, data collection by
intelligence and security services, bailiffs in the event of attachment, and notarial searches related to tax returns for estates.
Access to the information held by the Central Point of Contact is regulated by law. The National Bank of Belgium keeps a
list of all requests to access information held by the Central Point of Contact for a period of two calendar years.
• You will find all of the details regarding the Central Point of Contact for accounts and financial contracts in the Act of 8 July
2018, and in Section 322, Subsection 3 of the 1992 Income Tax Code and its implementing decrees.
Anti-Money Laundering Act and preventing the financing of terrorist activities
• Banks must deploy all possible means to prevent, uncover and/or report instances of money laundering and financing of
terrorism to the authorities. This is a matter of considerable public interest. CG Bank NVmust therefore take the necessary
steps for this, at both central and local levels. For example, CG has to gather data on customers and groups of customers
or issue risk alerts.
• Specifically, CG Bank NV has to:
o identify you as a customer, representative or ultimate beneficial owner;
o verify your identity;
o determine your profile (in relation to the risk of money laundering), which involves collating various personal and
business data, such as whether you’re a politically exposed person;
o check your actions and transactions and prevent certain transactions and report them to the Financial Intelligence 
Public
Processing Unit.
• In doing so, CG Bank NV uses details given to it by you personally, plus data that can come from other channels (like
Thomson Reuters’ World-Check, Graydon, Dun & Bradstreet, Swift, Internet search engines, social media, the Internet,
etc.).
• For example, CG Bank NV has to be in possession of a recent copy of your identity card. CG will therefore scan in your
digital identity card (e-ID) as a matter of course, for example if you register at a CG or Batopin ATM with your e-ID or if
you use your e-ID to confirm changes to your address or contact details as held by CG Bank.
• CG Bank NV may also process your personal data within the scope of the decision to terminate a customer relationship
for anti-money laundering reasons.
Sanctions rules
• In the context of the part they play in fighting terrorism and their obligations under sanctions rules, banks are required to
screen customer details against sanctions lists. Transactions are also monitored. In some cases, underlying documents
are requested and payments may be held back (see the sanctions legislation as well as EU Regulations 2580/2001 and
881/2002). Here, too, CG Bank NV uses outside sources such as the Thomson Reuters World-Check.
Prevention of market abuse and conflicts of interest
• Banks are also required (including at group level) to prevent, uncover and report improper use of insider dealing and
market manipulation and to notify suspect dealings to the authorities (see inter alia Articles 16 and 17 of the Market Abuse
Regulation of 16 April 2014).
• CG may, directly or indirectly, provide loans, credit facilities or secondary guarantees and insurance contracts to the
members of the Board of Directors and persons associated with them, to the members of the Executive Committee and
the persons associated with them, and to associated companies. This must be carried out in line with market conditions.
CG has decided to register the identification details of these parties in the persons database so that these parties are
recognisable in the systems. In this way, CG manages to comply with the relevant legislation.
Mandatory use of personal data in banking services
• Banks are responsible for recording transactions in their books of account (required under the accountancy legislation,
including the Royal Decrees of 23 September 1992).
• For payment transactions, banks have to pass on details of the originator or payee to the receiving or transferring institution
regardless of where it is established (e.g., Section 3 of part VII of the Economic Law Code plus its implementing decrees).
• Banks have to consult certain databases for given types of credit (including current account overdrafts) or to enter
information in those databases about the terms and conditions of the relevant agreements and the extent to which they’re
complied with. For example, they may:
o determine your borrowing options and repayment capacity, or make it possible for other institutions to do so;
o perform risk management;
o allow the National Bank of Belgium to perform scientific and statistical research and to do the work devolved upon it
by law.
• As a rule, CG Bank NV refers to the Central Individual Credit Register for all grants of consumer credit. The Central
Corporate Credit Register keeps the data available for viewing for one year following the calendar month it relates to
(under the lending statutes including the consumer credit and mortgage security acts and the Central Individual Credit
Register (Chapters 1, 2 and 3 of Section 4 of Part VII of the Economic Law Code), the secondary Central Individual Credit
Register legislation (Royal Decree of 7 July 2002), the Act on the Central Corporate Credit Register of 4 March 2012 and
the secondary Central Corporate Credit Register legislation (Royal Decree of 15 June 2012).
• MiFID II (the Second European Markets in Financial Instruments Directive) requires banks to allocate their customers to
certain categories. Natural persons automatically qualify as non-business customers (or Retail customers), although they
can require reallocation as business customers in particular cases. Banks rendering investment advice are required to
collect information appropriate to the relevant customer type on the customers’ knowledge and experience, financial
resilience, investment objectives, and attitude towards risk and return in connection with products offered to them (see the
provisions transposing MiFID II, including the Act of 2 August 2002 and the Royal Decree of 3 June 2007). In addition,
under MiFID II banks have to examine whether customers form a certain product’s ‘target market’. Banks whose offering
is limited to ‘execution only’ services such as the Bolero platform, also have to collate information according to customer
category, which will mainly relate to the customer’s financial knowledge and experience.
• Banks also have responsibility for identifying account holders and the beneficial owners of accounts, safe-deposit boxes
or insurance products in the context of reviving dormant accounts, safe-deposit boxes and insurance products (see the
Act of 24 July 2008 and the website at www.slapendetegoeden.be to find out more).
• As provided by law (PSD2), CG as bank is obliged to provide access to the balance and transaction information of its
customers’ payment accounts, insofar as the customer has installed an online app. This access is only granted to third
parties that are authorised to operate in Belgium (including other banks) and based on the consent granted to these third
parties by the customer. CG does not have the right to verify the validity of the consent granted to such third parties.
• The National Bank of Belgium requires banks to request a certified Energy Performance Certificate for home loans. This
certificate is also compulsory if a home qualifies for an interest subsidy. CG also processes the information in order to
monitor the value of the loan portfolio. 
Public
• As borrower, CG must annually inform the Vlaams Energie- en Klimaatagentschap (VEKA) i.e. the Flemish energy and
climate agency (in Dutch only) about the interest paid by borrowers for a renovation loan. VEKA then later pays an interest
subsidy to the borrower if the conditions, such as improved energy performance, are met.
• Under the Shareholders Rights Directive II, listed companies have the right to identify their shareholders. When listed
companies exercise this right, as intermediary CG Bank is obliged to pass on data such as the identity, place of residence,
e-mail address, a legal entity’s registration number, etc.
Carrying out the Compliance function
• CG can use personal data for the purposes of checks, investigations and opinions in areas subject to compliance
considerations (such as prevention of money-laundering and fraud, investor and consumer protection and data protection).
Other risk monitoring
• Banks are responsible for appropriately controlling risks (including at group level). They are required to detect, prevent,
mitigate and address risks. Examples include credit, insurance, counterparty and market risk, risks concerning information
management and statutory compliance, the risk of staff, customer and/or supplier fraud, the risk of unethical behaviour by
staff or breaches by them of their duties of care. Risk management has to be ensured at both central level (gathering data
on customers and groups of customers) and local level (e.g., circulating risk alerts). In this context, all forms of risk profile
are moreover stipulated (see the provisions governing credit institutions, inter alia the Credit and Stockbroking Institutions
(Status and Regulation) Act of 25 April 2014 and the Insurers and Reinsurers (Status and Regulation) Act of 13 March
2016).
• Mandatory disclosure and reporting to the authorities
• Banks also have to respond appropriately when you exercise your rights under the data protection legislation: they are
also required to answer questions from the Data Protection Authority, such as if a complaint is made.
• Banks have reporting duties and need to respond to questions to and from the authorities and bodies with supervisory
duties relative to financial institutions such as the Financial Services and Markets Authority (www.fsma.be), the National
Bank of Belgium (www.nbb.be) and the European Central Bank (‘ECB’ – in the context of certain of its oversight functions,
including the Credit and Stockbroking Institutions (Status and Regulation) Act of 25 April 2014 as well as the Act of 2
August 2002 (AnaCredit reporting)).
• Upon a customer’s death, the tax legislation contained within the Inheritance Tax Code requires banks to file an official
list of the deceased’s assets with the authorities (such as the Inheritance Tax Code).
• Banks have to respond to queries from the tax authorities or may need to voluntarily exchange information for the purposes
of tax law (the Income Tax Code, the Foreign Account Tax Compliance Act (FATCA), the Common Reporting Standard
(CRS)), and the European Directive on administrative cooperation (DAC 6)).
• CG Bank NV may also process your personal data within the scope of the decision to terminate a customer relationship
for tax reasons.
• Banks also have to respond to enquiries put to them by the courts administration (covering law enforcement right from the
police, through investigating judges and prosecutors to trial courts) and especially concerning matters falling under the
police statutes and court procedure in general (whether civil (Judicial Code) or penal (Criminal Investigation Code).
• In order to comply with the European Directive on the protection of whistle-blowers, CG processes reports in the EQS
Integrity Line www.eqs.com. The application guarantees whistle blowers’ confidentiality and anonymity (as an option)
during and after the investigation, and reports the result internally and to the relevant authorities.
3.2 CG Bank NV has to be able to judge whether it is feasible to contract an agreement
or service
Financial services
Before CG Bank NV concludes a contract for a financial or banking product, it may be necessary for certain information to be
processed and/or to be analysed for profiling in order to deal with the application and assess properly whether the agreement can
be concluded and, if so, under what terms and conditions. Examples include information collated and processed when a credit
application is received (whether this involves an estimate of the property on which a mortgage or other security instrument is
established makes no difference here), or when we are requested to issue a bank guarantee and process the contact details of the
beneficiary or their contact.
CG offers its services through various channels, directly in the CG branches, via CG Live or in the CG apps, as well as through
intermediaries.
As a customer of CG Bank NV, you use various services and your doing so renders administrative and accounting processes
incumbent on CG Bank NV. Examples of processing for the performance of contracts include the administration of accounts,
payments, deposits, lending, credit monitoring, monitoring security arrangements, safe-deposit boxes (physical or digital), custody,
financial instrument transactions, investment advice or wealth management paying due regard to your investor risk profile, selling
insurance and brokering financial leases, etc.
When you perform a payment transaction, CG Bank NV passes the payee information on the transaction’s progress (e.g., general
information on why the payment is not passing via a direct debit).
CG processes the personal data of representatives of legal persons in order to authenticate and communicate with the legal
persons and to exercise the company powers for CG services and products.
Security Deposit Savings Accounts can be set up on the CG website by the tenant or the landlord: the facility is open to both the 
Public
facility is open to both, but the tenant, who becomes the holder of the Security Deposit Savings Account, is the bank’s customer.
And the tenant’s personal data, like every other customer’s, gets processed by CG. The landlord, on the other hand need not
necessarily be a customer of the bank’s. But because we have to be able to identify them and the subjects of let in respect of which
the escrow is bailed, we also process certain necessary personal data of the landlord.
To be able to give investment advice that’s more personal to you, CG Bank NV combines the information in your investor profile
with certain other details (such as your age and your investment horizon) to gauge your attitude to losses you might incur.
CG Bank NV engages in bank-insurance business and therefore works closely together with CG Insurance. To facilitate this,
CG Bank NV and CG Insurance have a large sales network of bank branches and insurance agencies.
CG wants to make investment advice accessible to a wide audience, which includes the use of digital channels. CG calculates
behavioural forecasting MiFID customer profiles based on historically available personal data such as transaction data, combined
with personal characteristics. CG calculates the customer profiles specifically for the department where the associated
administrative and accounting processes are executed.
Additional services offered in the CG Mobile app
- CG’s own products and services
In the CG Mobile app, CG Bank NV offers its customers a few of its own non-financial products and services outside the general
fields of banking and insurance, which may also be available to platform users, e.g., Goal alert, Digital Safe, Digital My Real Estate
Dashboard and Joyn loyalty cards. CG Bank NV processes personal data to provide these services and, if the service functionality
so requires, personal profiles calculated for that purpose.
- Partners’ products and services
In CG Touch and the CG Mobile app, CG Bank NV offers its customers non-financial products and services of partners outside
the general fields of banking and insurance If data needs to be exchanged to ensure efficient use of the partner’s service, CG will
inform the customer accordingly in the process. CG also ensures secure payment. This information is also available in the CG
Mobile app.
To enable such apps to function properly, CG exchanges personal data with the partner company, whereby CG is usually the
data controller in its environment (for payments or, for example, to pre-populate a form with your data) and responsible for the
transfer of customer data to the third party. The partner company is the data controller in the context of the service to be provided
(such as issuing your ticket).
Through the CG Mobile app, CG also wants to give you access to your personal government documents that can be consulted
electronically in My e-Box. The condition is that you link your My e-Box account to the CG Mobile app. Only you get to see the
documents. CG cannot see or process the content of the documents. If a new document becomes available for you, you will be
notified.
CG also develops specific applications for entrepreneurs, such as the cooperation with Go Solid NV for the collection of invoices,
or with NOWJOBS NV for the recruitment of temporary staff. In the CG Business Dashboard, an online application for businesses,
CG also makes services of third parties available. With your account, you can log in to companies that provide specialised services
for businesses, such as BrightAnalytics BVBA, Cashforce NV and Soluz.io NV. In order for you to log in securely, CG exchanges
identification data (surname, first name and your identification number with CG or a specific identification code) with these
companies, subject to your consent. You can find NOWJOBS in CG Mobile under Additional services – Offers for your business.
You must contact those third parties for more information on the protection of your personal data and to exercise your privacy rights.
Payment services remain the core of the CG Mobile app. CG integrates the Payconiq by Bancontact app in the Mobile app so
that you can easily buy something or transfer money to an acquaintance without a bank card or cash. For the latter, it suffices to
select your contacts from the contact list on your phone. CG asks your consent to view that contact list and shares your selected
contacts’ mobile phone numbers with Payconiq, under the responsibility of Payconiq, in order to make the payment possible. ‘Split
group expenses’ is a CG service integrated in the Mobile app that allows you to share expenses with your acquaintances. This
service also uses your phone’s contact list. When you use the service, CG sends a text message with a request to the
acquaintance(s) you have selected.
Partners’ products and services for platform users
If you are a platform user, you too may use some of the above-mentioned services in the CG Mobile app. In order to be able to
offer you the services, CG needs some information from you (e.g., mobile phone number, e-mail address, date of birth). CG
keeps your personal data in order to be able to provide the service and to simplify the purchase of such services in the future. In
order to avoid your having to fill in these data over and over again, CG will keep your data for a limited period of time. If you do
not use the services for a certain period of time, CG will delete your data. You may always remove your data yourself by deleting
your profile in the CG Mobile app.
Ask Kate for help
Kate, the personal digital assistant, is a service within the CG Mobile app.
The Regulations for the CG Mobile app specify what you can expect from Kate and how the assistant works. If Kate is unable to
assist you further, she can refer you to CG Live.
• ‘Extra convenience’
If you accept the Regulations for the CG Mobile app, you can opt for ‘Extra convenience’ (you can deactivate this feature at any
time in CG Mobile), in which case CG will provide you with the following services:
- your advanced digital assistant Kate proactively offers personalised assistance and can send you messages about products, 
Public
services and applications offered by CG if you use other CG applications for which Kate has been activated. To allow
assistance to be provided and hence to be able to anticipate your behaviour, wishes, risks and needs, Kate analyses the
current and past information CG has on you – personal data or information regarding you in your capacity as legal
representative – and your family, such as transaction details, your use of the products, services and applications offered by
CG as well as insights gained through market analysis, general customer behaviour analysis and general analysis of the
use of CG products and services. Kate will apply these analyses to your specific individual or family situation (profiling) in
order then to be able to offer a personalised service.
- If you use ‘Additional services’ in the CG Mobile app, CG may use the data processed in that context to provide you with
‘extra convenience’ relating to services as well. For example, CG can proactively consult the data it shows you when you
go to the Sodexo service, so that Kate can you let you know when you’re about to run out of Sodexo service vouchers. An
up-to-date list of eligible additional services can be found here.
- Additional information in the CG Mobile app or CG Touch, such as the location where you performed a transaction, the
merchant’s brand name and logo, etc. to help you understand and identify the context of the transaction as a holder of a CG
Basic or Plus Account;
- Useful insights that may draw your attention to things that we assume you should take a look at, such as unexpected
behaviour on your current account or in your expenses, or an expectation that your account is insufficiently funded.
- When you purchase certain CG products or services, or carry out certain actions in CG Mobile, you earn Kate Coins, CG's
digital coin. To correctly grant those Kate Coins, CG must process your specific behaviour, or the purchase of certain
products or services that allow you to earn Kate Coins in this context.
- We also need to register and display Kate Coin transactions and the balance on CG Mobile. We keep this information until
the expiry date of the Kate Coin concerned. To let you use the Kate Coins, we register the exchange of the Kate Coins for a
specific benefit, e.g., a webinar, or for a cashback on the purchase of a certain product.
You can deactivate ‘Extra convenience’ at any time without affecting the functioning of the CG Mobile app. You will still be able to
ask Kate any questions you have.
CG can also communicate with you separately from the Kate terms and conditions. In that case, personal data will only be
processed if CG has another valid legal basis for doing so.
• Ask Kate a question
You can still ask Kate any questions, even if you’ve deactivated ‘Extra convenience’. You decide how to use the service. You can
ask Kate simple questions by speaking or typing them in the chat function about banking and insurance matters and about other
products, services and applications offered by CG. To answer your questions, Kate uses the necessary, limited personal data. If
you don’t ask Kate anything, no personal data will be processed for the digital assistant. Answering some questions might require
a more comprehensive analysis of personal data. This will only occur if you opt for ‘Extra convenience’.
Expense management for business owners
The CG Mobile app and CG Touch provide holders of a CG Company Account with the ‘send expenses’ service (when
activated), which gives you an overview of anticipated expenses on the account based on your transaction data.
Support and advice for businesses
For the more complex needs and requirements of SMEs and Corporate Banking customers, CG offers specific support and
advisory services such as, for example, on growth strategy or the optimal approach to working capital. To this end, CG processes
your personal data related to your business, such as product ownership, product usage and transactions.
3.3 CG Bank NV processes personal data based on a legitimate interest
In addition to compliance with statutory duties, the performance of a contract and consent, CG Bank NV and the CG group as
commercial undertakings have certain ulterior legitimate interests on the basis of which they process personal data. These are
inspired by the need to function as a business and to enable new initiatives to be developed and offered to customers. In that
regard, CG ensures that the impact on your privacy is kept to a minimum and that, in all events, CG’s legitimate interests remain
proportionate to the impact that upholding them has on your privacy. Nonetheless, if you harbour an objection to this use being
made of your data, you may exercise your right to object. CG will respect your objections unless CG has compelling reasons for
not doing so.
There are various situations in which CG processes personal data:
Risk management, security and measures to prevent fraud
Identification and prevention of major risks, such as the risk of fraud, cyber and credit risks, based on in-depth data analysis
• CG Bank NV uses your personal data, including transaction data, to conduct studies, create models and generate
statistics for various purposes: regulatory reporting, more effective internal control, fraud analysis and combating fraud,
risk analysis, security and other non-commercial purposes.
• CG develops risk signals. Your behaviour influences the risk signals. If CG detects from internal or external sources
that you are in arrears with the repayment of a credit, that you are misusing your payment or credit card, that you are part
of a collective debt repayment scheme, that you gamble heavily, that you are involved in a fraud case or a money
laundering case, that you are providing your cooperation to terrorism, weapons or human trafficking, etc., this will be
identified as a risk signal, which may have considerable consequences. A result may be that CG won’t give you credit or
that a local branch cannot decide on a credit, that an employee must consult the compliance department before dealing
with you, that CG doesn’t want to do business with you or decides to terminate the relationship. 
Public
• CG can use your personal data to prevent, detect and investigate fiscal fraud in conjunction with (Belgian) payment
systems and providers of other payment services.
• Data processing may be carried out in order to guarantee the safety, security and monitoring of persons and goods.
• Personal data, including biometric data can be used for various purposes, including to detect and put a stop to fraud and
cyber risks. For example, every time you add a CG debit card in the Payconiq by Bancontact app, Bancontact Payconiq
Company sends data such as the card number and IP address to CG through a secure channel, which CG can then
analyse further.
• CG shares the personal data (including subsequent updates) of the legal representatives and ultimate beneficial owners
of any company that is a CG customer with other banks where that company is a customer or wants to become a
customer. Subject to the same conditions, CG can also receive personal data about the legal representatives and ultimate
beneficial owners from other banks. The purpose of this exchange is for every bank to have the most up-to-date KYC data
of its customers. This is how CG Bank NV contributes to the fight against fraud and money laundering. Moreover, it may
simplify and accelerate the customer onboarding process for both the company and the bank. CG Bank NV cooperates
with Isabel and other associated Belgian banks in this regard.
• When you purchase certain CG products or services, or carry out certain actions in CG Mobile, you earn Kate Coins,
CG's digital coin. To correctly grant those Kate Coins, CG must process your specific behaviour, or the purchase of
certain products or services that allow you to earn Kate Coins in this context.
• We also need to register and display Kate Coin transactions and the balance on CG Mobile. We keep this information
until the expiry date of the Kate Coin concerned. To let you use the Kate Coins, we register the exchange of the Kate
Coins for a specific benefit, e.g., a webinar, or for a cashback on the purchase of a certain product.
Use of personal data for the CG organisation
Use of personal data for internal and regulatory reporting and internal control, and to defend rights and communicate as a company
• CG may utilise personal data for the administration, (risk) management and oversight of the CG group’s organisation,
such as the legal department (including dispute management and legal risks), risk management (such as general credit
risk and insurance risk calculations vis-à-vis customers and groups of customers worldwide), risk functions (e.g.,
Compliance, for all duties not strictly required by law but that are in fact necessary or useful) and inspections, complaints
management and internal and external audit. We retain personal data for possible future evidential use. Storage may be
entrusted to outside third parties.
• CG may utilise personal data to support and simplify the processes of customers beginning to use, using and ceasing to
use products and services, including avoiding resubmitting information you’ve already submitted. To avoid your having to
go through an entire ID verification process if you want to become a customer elsewhere in the CG group. Thus, CG
Bank NV may pass on details of your identity to other companies in the CG group in order to speed up their process of
verifying your identity.
• CG may also utilise personal data for determining, exercising, defending and preserving the rights of CG Bank NV or
persons whom it might represent (e.g., in disputes).
• CG can use your personal data to create synergy, increase efficiency and produce other benefits for its organisation and
processes. For instance, CG can combine aggregate data from customers with publicly available data to optimise the
integration of CG bank branches and independent CG insurance agencies.
• CG processes personal data for internal reports and reports required by the authorities, for risk management, for the
organisation of internal controls, but also to defend CG’s rights and to communicate as a company.
• CG may also collate personal data that CG entities have at their disposal for creating segments (such as private
individuals, businesses and private banking).
• To provide you with good service, it is important for us to share information within the organisation and to group that
information together in the hands of (central) relationship managers, for instance in a CRM application to maintain your
customer overview.
• CG cooperates with preferred third-party service providers for its range of banking and insurance products (see 3.2). To
be able to screen and later contact possible future merchants, CG collects identification and contact details of these
potential trading partners. The data may have been communicated to CG in response to a business event or published
on social media or be publicly available.
• CG keeps the contact details of journalists obtained directly or indirectly, so that CG can contact them at the appropriate
time. For example, to contact the press in case of news updates.
• CG is an international organisation that works and communicates in Belgium’s national languages, English and various
other languages. Translations are essential in that regard. Many of the source texts and translated texts contain personal
data. CG Language Service deletes these data at the latest 90 days after the translation.
• CG wants to offer its customers a personalised customer experience, irrespective of the channel the customer has
selected (branch, CG Live, CG Mobile app, Kate). Information you share with a staff member may be stored in the
customer relationship management system for retrieval at a later date or in another channel.
Linked to the provision of certain services
Personal data is processed to support ICT systems and software, improve processes, coach staff and improve services
• While apps are being developed, tests need to be carried out using personal data, including the final acceptance test 
Public
before an app can be put into production Where necessary, this may be done in conjunction with third parties appointed
by CG.
• If CG investigates issues in applications, it may process personal data for that purpose.
• Incident management solves issues at customer level. When IT systems’ integrity has been compromised, CG can
resolve issues by recreating missing factors, as part of which CG processes personal data.
• CG may use personal data in evaluating, simplifying, testing or improving its processes, digital apps and standard-form
documentation and to optimise promotional campaigns, simulation exercises and online sales, such as by using
information from cookies (e.g., preference settings and click and browsing behaviour on our website) to follow up on a
simulation left uncompleted, statistics or a satisfaction survey.
• CG uses services provided by third parties (infrastructure management) that monitor, investigate and, where necessary,
restore the performance of CG infrastructure and software. During these processes, personal data may temporarily be
visualised as a technical object. CG concludes contracts by way of security and provides for technical security both
internally and externally to minimise the processing of personal data and maximise security.
• CG records telephone conversations for purposes related to training and coaching its staff and improving the quality,
security and oversight of processes, for brief periods of one month.
• The dealings of CG’s ‘Corporate Mergers & Acquisitions’ team (M&A) extend over all and any types of CG products and
services. It is possible that, in the process of acquiring or disposing of some part of its business or another, CG might
exchange personal data with companies in the CG group and third parties.
• Even though there might be no legal obligation to verify the Central Individual Credit Register, CG always does so when
lending to consumers.
• CG processes personal data, including transaction data in order to gauge your knowledge and experience in relation to
investments with a view to protecting investors (MiFID).
• To ensure each property estimate is as accurate as possible, CG performs a few calculations (such as the construction
area, roof surface and volume) based on the address (obtained from the Land Registry or purchased) for every property
having an address in Belgium. These calculations can be enhanced using data collected through specialised third parties
(such as Vansteenlandt). These property estimates are used for the ‘My Real Estate Dashboard’ service or for third-party
services, or in the context of potential mortgage lending.
Developing models for customer comfort and for marketing purposes
Support of commercial activities based on in-depth data analysis
• Insight gained from analytical models allows CG to build customer profiles. CG then adjusts the model both to you as
an individual or at the level of your family and may also, exceptionally, apply it to another person for the following purposes:
o Gathering data from different companies of the CG group in these analytical models makes it possible to obtain
data-driven insights that support the CG group in making strategic choices; and
o Developing commercial policies, taking into account customers’ behaviour and wishes.
Profiling for marketing purposes
Use of data for personalised commercial messages about CG products and services
• Profiling to personalise and steer direct marketing. CG Bank uses them to offer customers, prospects or platform users
CG’s and CG partners’ products and services (see 3.5.3) or to determine the commercial policy for a particular person.
Ensuring the best possible customer experience
• Customisation of product and service offers by both itself and third parties.
• CG uses personal data to send you messages or to contact you in connection with services you’ve requested from CG
or from a third party through the CG Mobile app, for instance to remind you to repay your outstanding credit card balance
before the due date. You can disable these messages in the CG Mobile app (under Profile/Notifications).
• When you fill in a CG Bank NV form, we naturally process the data needed to administer the process that you completed
it for. This means that data you enter during a simulation may be stored in the meantime, saving you having to enter it
again if you interrupt the process or want to start again later.
• If you started a simulation or sales process but stopped before completing it, we may contact you to see what went wrong
and whether we can help; i.e., technical and administrative support for that specific process.
• CG can use your ‘being a customer’ to determine the preferred channel (branch, CG Live, the CG Mobile app, etc.)
that it will use to get in touch with you. You can of course still choose how you want to contact CG.
• CG may text you to confirm an appointment or remind you that you’ve missed an insurance policy renewal or a loan
repayment or that your account is insufficiently funded for a payment order to be executed. You can switch these
notifications off in the menu for managing your text message settings.
• Communication via the CG Mobile app’s start screen
• In the case of customised service in digital assistant Kate, profiling occurs based on the contract that the customer has
signed with CG to this end (see 3.2).
• Digitisation of CG services and products to improve their accessibility and user-friendliness with additional personalised
information. 
Public
• CG processes customer profiles to be able to send relevant messages and information.
• Information regarding your investment profile may be exchanged between CG group entities, as well as insurance agents,
for the provision of investment or insurance advice, so as to avoid you having to provide the same information again in the
context of an advisory meeting, depending on the delivery channel chosen, and to ensure uniformity and consistency of
the profile.
Product and service offering
Data processing needed to offer (digital) solutions and determine the relevant CG strategy
• CG can use your personal data to make you a better offer than at present or to give you a commercial discount. CG
calculates the commercial discount for all customers, irrespective of any specific request. To this end, CG analyses the
behaviour and a few relevant characteristics of the customer based on customer profiles.
• To be able to respond effectively to other customers or prospects (such as when preparing simulations or tenders) and
where CG Bank NV makes unsolicited offers in bespoke form, it can occur that, in the form of carefully shielded underlying
processes, it may look at your customer profiles. There is naturally no question of your personal data being divulged to
anyone in this context.
• Creation of profiles to tailor CG’s commercial and product strategies to customers’ behaviour and wishes.
• Preparation of internal reports on the use of processes and products by customers and platform users to evaluate and
determine CG’s commercial and product strategies. In this case, personal data is aggregated to the extent possible.
Offer of aggregated insights
• CG may aggregate personal data to assess rapidly changing consumer behaviour and thus predict economic trends, to
produce reports for internal use.
• CG Bank NV anonymises your data so that they can be publicised, for instance if, on the occasion of Batibouw it wants
to publish statistics on the numbers of home loans applied for or granted. CG Bank NV may at the same time carefully
draw anonymised insights from personal data and subsequently offer those insights to the market. CG may provide these
aggregated reports as a service or make them available free of charge to organisations in its social role and to partners in
order to provide insight into the purchase of their services through CG channels. This enables these third parties to further
refine their offer or strategy.
Mobilisation of appropriations
• If a credit claim is mobilised from a credit agreement, we may disclose the obligations and, based on legitimate interest,
the necessary details of the borrower and guarantor concerned to the transferee for the management of the claim.
Mobilisation of credit claims is effected, among other things, in the form of securitisation, assignment of receivables and
in the context of covered bonds. The recipient guarantees the confidentiality of the data.
• CG Bank NV may disclose information about the credit agreements and the way in which they are executed to:
o all stakeholder third parties with a legitimate interest (such as the National Bank of Belgium) or third parties to
whom the credit agreement may be transferred or assigned;
o parties that can assign a rating to relevant securitisation transactions.
• To improve the operation of market forces when credit agreements are converted into securities, the European Central
Bank and the EU authorities impose reporting requirements. These reports are not by named individual but by contract
detail (such as number of borrowers, term and due date of the credit, outstanding credit amount, payment arrears,
characteristics of the mortgaged pledge). This information must be made available to investors in these financial
instruments (often designated as Asset-backed securities or Residential mortgage-backed securities). You will find more
on this on the website of the European Central Bank: www.ecb.int (keyword: loan-level).
Corporate customers
• CG sends messages to its corporate customers, which may be for informational purposes. These messages may include
a call to action. In order to reach these customers, CG sends the message to the representatives designated by the
company. For the calculation of the corporate customer’s profile, CG only uses the company’s data and not the
representatives’ personal data.
• CG may also send advertising messages addressed to the company which also involve the processing of the
representatives’ data. Representatives may object to this use.
3.4 CG will request your consent to process your personal data in certain cases
You can read more about consent for direct marketing in 3.5.2.
CG will request your consent to process:
- PSD2 data that you have personally added in CG applications such as the CG Mobile app for commercial models and
profiles;
- geolocation data (unless expressly stated otherwise);
- data entered by you in a simulation or competition entry form in order to send you advertising messages;
- underlying data of a form that needs to be completed with certain information for CG to be able to process the form, in
which case CG will generally ask you to check the data’s accuracy;
- your contact details as representative of your company when we transfer them to, for example, Cashforce; 
Public
- biometric data used for identification purposes;
- to answer questions asked by third parties, unless there is another legal basis for doing so, such as a statutory duty;
- CG will request your explicit consent for the processing of health data;
- to send notifications from the browser regarding the Private Banking newsletter. Each notification includes information on
how to withdraw your consent. If you are no longer able to make your own wishes and needs known, a carefully drafted
lasting power of attorney can guarantee that your personal wishes and needs are translated correctly from a lawful point
of view, including in banking matters. CG will respect that expression of your will and your appointed proxy holder.
CG may request your consent through all possible channels, such as the CG Mobile app’s start screen, Kate or e-mail.
3.5 CG Bank NV uses your personal data for direct marketing
As a commercial enterprise, CG Bank NV is keen to be able to suggest a wide range of financial and non-financial products and
services to you. It may do so in response to explicit requests or where it has an idea that you might be interested in or could benefit
from a given product or service.CG Bank NV
We can reach out to you with this information in all sorts of ways: through CG bank branches and insurance agencies, over the
Internet and in apps, in the CG Mobile app’s start screen, by sending push messages from our CG Mobile app, by e-mail, post
or telephone, via Kate, and at events. In addition, the constant flow of new technologies gives CG Bank NV new ways it can
embrace to serve you better. CG is at pains to ensure that information is provided in a way that’s clear and will choose the most
appropriate channel to ensure the inconvenience of being disturbed is kept to a minimum.
If CG Bank NVknows the age, it does not make commercial offers of its own to young persons aged under 16 unless a legal
representative of theirs has consented.
Only one of the various options listed under 3.5.1 and 3.5.2 applies to you as a customer. From the moment you receive a proposal
to opt for the Direct Marketing contract as set out in 3.5.1, only that situation will apply to you, and your choice for personalised
information (3.5.2) will cease to apply. If you do not opt for the personalised agreement, you may still receive direct marketing based
on a legitimate interest (see 3.5.3). If you don’t want to receive any direct marketing at all, see 2.5, which describes how to object
to direct marketing.
If you are unsure as to which situation applies to you as a customer, feel free to e-mail mypersonaldata@kbc.be for help.
3.5.1 Direct Marketing contract for personalised advertising
If you choose to enter into a personalised agreement, you will receive personalised communications from CG. The processing of
personal data is therefore essential to the performance of the personalised agreement. The personalised agreement contains
information about the services offered by CG when you opt for the personalised agreement and on how this agreement works.
3.5.1.1 Who is offering the personalised agreement?
CG Bank, CBC Banque, CG Asset Management and CG Insurance (hereinafter: ‘CG’) have joined forces in order to make
you proposals and contact you for advertising purposes in as personalised a manner as possible. These entities can share your
personal data with each other for this purpose, to the extent that this is necessary and relevant in order to send you personalised
commercial messages. This exchange is also possible if you are not, or no longer, a customer of one of these entities. This enables
CG to approach you based on the overall profile it has compiled of you. This is important in order to ensure that CG makes you
relevant commercial proposals based on your specific situation.
For this purpose, these entities act as joint data controllers. In order to exercise your rights, as described in the general data
protection statement, you can contact CG Bank, CBC Banque, CG Asset Management or CG Insurance.
3.5.1.2 What are CG’s legal grounds for using your personal data?
CG will only use your personal data for personalised services if you have chosen to enter into this agreement.
CG invokes contract performance as a basis for delivering Kate Deals and personalised services, as described in the
personalised agreement. This concerns:
• analysis and use of personal data in order to create a profile of you and subsequently be able to send you personalised
commercial offers and messages. You can find more information about this under point 3.2;
• analysis and use of personal data in order to display Kate Deals to you on a personalised basis and to customise this data
at the participating merchant’s request. You can find more information about this under point 3.2.
• contacting you through the most appropriate channel. You may receive commercial messages through a variety of
channels (via the CG bank branches and insurance agencies, the Internet, CG applications, by post, e-mail, telephone,
etc.).
CG invokes permission to:
• use electronic communication channels to send commercial messages. The personalised agreement always contains a
provision for the receipt of electronic communications via push notifications from CG Mobile, or by e-mail, text, or
WhatsApp message. You may choose to change your communication preferences at any time and are therefore
completely free to decide how CG sends you commercial proposals. For example, you may decide at any time to have
these communications restricted to the channels of your choice, or not to receive any commercial messages electronically 
Public
at all. You can make these changes in CG Mobile (Privacy > Commercial Settings), CG Touch (Profile > Privacy >
Commercial Settings), CG Live, or at any CG branch. Even you choose not to receive any electronic communications
at all, you can still benefit from the personalised services.
• sending you personalised offers based on your click and browsing behaviour on CG websites and in CG applications.
CG respects your privacy preferences and will only store this data if you have given the required cookie consent.
3.5.1.3 What type of data processing is needed in order to provide the requested services?
In order to be able to deliver the services described in the personalised agreement, CG must be able to predict your behaviour,
needs and requirements.
CG uses all personal data (including transaction data, data obtained from third parties, data obtained from public sources such as
the Belgian Official Journal, data and information gathered during conversations with you at the branch or other contact moments,
etc.) it possesses on you and any insights it obtains based on general market analysis. CG combines this data with other data and
information relating to your family, business, etc.
CG may make highly personalised commercial proposals to you, tailored to your needs and interests, by applying this analysis to
your individual or family situation (i.e. profiling).
Data processing in the context of personalised commercial messages
CG conducts in-depth profiling as part of the personalised agreement in order to be able to tailor the advertising messages to your
needs. This is because CG’s intention is to send you commercial messages tailored to your situation as much as possible.
These commercial messages might focus on:
• CG’s products and services and those of carefully selected partners with whom CG works in order to provide their
services through CG (e.g., Payconiq, partners for additional services such as 4411, DeLijn, Kinepolis, etc.). You can find
an up-to-date list of CG’s partners at this link. This list is regularly updated by CG;
• both financial products (including loans, credit cards, insurance products, etc.) and non-financial products (including Kate
Deals, purchasing train tickets, ordering service cheques, etc.).
CG generally sends these commercial messages to you directly, rather than through its partners. This ensures that CG can
minimise data processing by its partners. CG has also made contractual arrangements with its partners, in which they confirm that
they will comply with the privacy rules.
Data processing in the context of Kate Deals
Calculation and execution of cashbacks
CG uses the transaction data to calculate and execute the cashbacks you are entitled to. For instance, based on your purchases,
CG can see which Deals you actually redeemed.
CG works with a number of participating merchants.
• Personalisation of Kate Deals at the request of the participating merchant
These participating merchant can determine whether or not they want to limit their deal to certain customers, based on a set of
predefined parameters. This enables participating merchant to more accurately determine the target audience for their Deal. For
example, they might decide to limit their deal to customers who have made purchases from them over the past three, six or nine
months (or those who just fall short of this mark) or solely to customers who live or shop in a particular province. In order to be able
to deliver these parameters, CG checks your personal details. The transaction details are also reviewed for some of these
parameters.
Personal data that may be processed in this context includes transaction data, place of residence, gender, age, household
composition, as well as profiles derived by CG (from customer data), for example, hobbies and what customers do in their spare
time. This data is processed either separately or combined. CG does not pass on this personal data directly to the participating
merchant, but instead uses it to determine the group of customers that get to see the deal.
In the context of personalisation requested by the participating merchant, CG and the participating merchant concerned are jointly
responsible for processing the relevant data. Feel free to contact CG if you have any questions about exercising your rights (as
described in the general data protection statement). The data protection statement is available at www.kbc.be/privacy. You can
also obtain a copy at your bank branch or from your intermediary.
Since CG automatically selects for which Kate Deal you are eligible based on the parameter(s) communicated by the participating
merchant, some of these decisions may be made automatically. You can read more about how automated decisions are made in
the Annex to the CG Data Protection Statement – automated decision-making.
• Anonymised statistics
CG sends anonymised data to the participating merchants regarding their Deal, as it was published on the Kate Deals Platform.
Personalisation to show Kate Deals in the most relevant order
The Kate Deals displayed on the Kate Deals Platform have been personalised. Personalisation is a feature of the Kate Deals
Platform intended to ensure that the Deals published on the Kate Deals Platform are as closely aligned as possible to your needs
and preferences.
CG creates a profile of you to help personalise the Deals and determine how and in which order they are presented to you. This
allows CG to present you with the Deals that are most relevant to you.
CG bases this profile on your transaction data, which shows the sectors (e.g., fashion, leisure, etc.) and locations that may be of
interest to you. CG also looks at other personal data, such as your name and address. If you have given permission for CG 
Public
Mobile to use your location, CG will use it to show Deals located near you. If you have consented to the use of cookies, CG also
keeps track of your click and browsing behaviour (e.g., what Deals you have viewed) on the Kate Deals Platform in order to improve
the Deals’ relevance.
CG and the TradeTracker partner platform join forces
To know if you are entitled to a Deal via an external partner, and for the calculation and execution of the cashback, CG and the
partner platform (TradeTracker) need to be able to see if you made a purchase using the unique link on the Deals Platform and for
what amount. CG and the partner platform must also detect any fraud in connection with the Deals via external partners in time.
CG and TradeTracker are joint controllers for these purposes. Feel free to contact CG if you have any questions about exercising
your rights (as described in the general data protection statement). The data protection statement is available at
www.kbc.be/privacy. You can also obtain a copy at your branch or from your intermediary.
The types of personal data processed by the partner platform in this context are traffic data (including IP addresses), where
appropriate linked to your purchase (amount and time).
3.5.2 Personalised commercial messages, with your consent
If you have previously consented to receiving personalised commercial messages, this consent will remain valid until you have
made a choice regarding the Direct Marketing contract.
If you give explicit consent to receive personalised commercial messages, CG can make proposals tailored perfectly to your
individual situation. You will no longer receive scores of adverts that are of no interest to you. Your consent applies specifically to
personalised commercial messages and is unrelated to the processing of personal data in the context of Kate Deals. In this regard,
CG uses your entire personal data (including transaction details and information obtained from third-party sources (such as
financial institutions), public sources like the official gazette, the results of discussions at your branch and other contacts). This data
is collated along with details of your family and business, and so on, so that CG is really in a position to provide you with commercial
messages tailored to you. You can withdraw your consent at any time, just as easily as you gave it.
Your consent to receiving personalised commercial messages is valid for each of CG Insurance, CG Bank, CG Asset
Management, CBC Banque, CG Securities and CG Autolease. As regards CG Autolease, your consent only applies to services
that it provides directly to private individuals. These CG entities are then able to share your data with one another. Such exchanges
are also possible if you’re not or you are no longer a customer of any CG company. This enables CG companies to look into your
situation and proactively suggest alternatives aimed at your specific situation.
You receive the messages directly from CG and not from the partners CG works with. These partners are listed in 3.5.1.1 and
3.5.1.2. This ensures that data processing by these partners is limited and they only receive data about you if you personally
express interest in the information. CG has made contractual arrangements with the partners, in which the partners confirm that
they will comply with the privacy rules.
Subject to your explicit consent, CG may send you commercial messages about financial products and services and about nonfinancial products and services. CG offers a separate choice for both.
Platform users and prospects cannot opt for personalised commercial messages.
3.5.2.1 Commercial messages about financial products and services (occasionally referred to as ‘personalised
information’)
Your separate consent applies to messages about financial products and services from CG and from carefully selected partners
that offer products or services in the general fields of banking and insurance. Those partners must at all times meet the following
criteria:
- They must be a provider of financial services or an insurance company. Financial service providers include banks, credit
institutions, wealth managers, funds, stockbrokers and lease companies in as far as their offering to private individuals is
concerned.
- If legally required, the partner has to be licensed for the financial service or insurance that CG is offering.
- The messages contain information on products and services from the general fields of banking and insurance such as savings
products, investment funds, lending and insurance (both property cover and life insurance).
A list of our current financial partners can be found at www.kbc.be/partners. This list is regularly updated by CG.
3.5.2.2 Commercial messages about non-financial products and services
Your separate consent applies to messages about non-financial products and services from CG and from carefully selected
partners with whom CG cooperates in order to offer you their services through CG. The messages may relate, for example but
not exclusively, to the Additional Services that CG offers in the CG Mobile app, such as selling tickets or offering new deals in
CG Deals.
The messages concern non-financial products and services outside the general fields of banking and insurance.
More information about partner services offered by CG is available at www.kbc.be/partner. This information is updated by CG on
a regular basis.
3.5.3 Limited personalised commercial messages, based on a legitimate interest
If you do not want to receive a highly personalised offer, you should not opt for the Direct Marketing contract or consent to receiving
personalised commercial messages.
Nevertheless, you may occasionally still receive offers and advertising from CG Bank NV (e.g., in the CG Mobile app’s start 
Public
screen or by e-mail, push notification or text message): based on its legitimate interest, CG sends offers on the basis of a limited
number of data (such as who you are and where you live, your date of birth, your marital status, your contact details, family
relationships, the apps and products you use, or any lack of interest on your part in certain products).
These limited personalised commercial messages may concern:
- financial products and services from CG Bank NV or CG Insurance and CG Asset Management;
niet-financiële producten en diensten van CG en van zorgvuldig geselecteerde partners in bijvoorbeeld de Extra diensten in CG
Mobile, zoals de verkoop van tickets. Meer informatie over de partners vind je op www.kbc.be/partners .
Subject to your separate consent for the electronic channels (e-mail, push messages and SMS/WhatsApp), CG may send you
advertising on all products through these channels. In the absence of your consent, we will limit ourselves to advertising on products
similar to those you already own. You can manage your consents in the CG Mobile app, via CG Live or at your branch.
You can object to direct marketing mailto:zoalsas set out in 2.5, in which case you will no longer receive personalised advertising.
In order to be able to send you the appropriate message through the correct channel, CG may also call on other service providers.
For this purpose, CG may cooperate with communication and marketing agencies, and similar companies such as social media
players (e.g., Google, Facebook, Instagram, WhatsApp). Sometimes CG only uses information it has about you or your personal
profile information held by them. In other cases, CG combines those data. Depending on the type of cooperation, they may be
processors or controllers (see points 5.2 and 5.3).
3.5.4 Marketing for platform users
CG uses platform users’ personal data to conduct direct marketing campaigns (e.g., the CG Mobile app’s start screen or by email, push notification or text message) based on a legitimate interest. This may include services offered through the CG Mobile
app, including CG Deals, and CG Bank NV payment solutions. For this purpose, CG processes the limited set of personal data
that the user registered when they activated the use of the CG platform (surname and first name, address, date of birth, mobile
phone number and e-mail address). If the user agrees to the use of cookies, CG can also send offers based on click and browsing
behaviour. Platform users can exercise their right to object to direct marketing, in which case they may still see an advertising
message but it will be a general advertising message, for which CG does not process customers’ personal data.
3.5.5 Marketing based on your click and browsing behaviour
CG may send you offers based on your usage patterns on its websites and apps, provided that you consent to the collection of
these cookie data and them being used for sending personalised commercial messages. The cookie consent determines which
offer CG can send you. Your cookie data may be combined with other personal data according to the conditions set out under
3.5.1, 3.5.2 and 3.5.3
3.5.6 Marketing to prospects
CG uses prospects’ contact details to conduct direct marketing activities. Commercial messages by e-mail are sent only with the
recipient’s prior consent. Telephone marketing is always based on a legitimate interest, and CG respects anyone who is listed on
the Do-Not-Call Registry.
3.5.7 What if you do not wish to receive personalised advertising (or less of such advertising)?
You can always choose not to activate the personalised agreement or not to opt for personalised information if you only wish to receive
general advertising messages. If you no longer want to receive any advertising at all, you can object to direct marketing. For instructions,
see paragraph 2.52.4.
3.6 CG will not sell your personal data
CG Bank NV does not sell or hire your personal data to third parties for their own use, unless you opt for this yourself by giving
your consent or in the context of a service.
4 Part 4: CG Bank NV processes different types of data
The types of data that CG Bank NV processes are explained below.
4.1 Identification, data linked to a service and personal particulars
IDENTIFICATION DATA
Your electronic ID card details that can be accessed without a PIN, such as your name, sex, date of birth, nationality, national registration
number, but also your customer number, vehicle registration number, driving licence, click data, how you utilise your device, information
identifying the devices you use (Mac address, IPs, information uniquely identifying your device).
Public
CONTACT DETAILS
Telephone number, e-mail address, language, postal address, username in social media apps.
DETAILS LINKED TO A SERVICE
Your products Account numbers, your financial products (payments, loans, insurance, savings & investments).
Your product usage Your transactions, salary and other income and expenses, growth of your wealth, changes in your wealth
situation, investments, loans, insurance policies, movements on your accounts and their balances, the use of
Your preferences and
interests
Your potential interest in CG products;
Your financial information, how it has changed over time and the advice we’ve previously given you.
Derivative information Based on movements such as payment transactions (transactions on your accounts, in your investment
portfolio, done using your card, etc.), CG Bank is able to observe your behaviour and detect your needs. We
can use the resulting profile for instance to send you personalised offers, to more effectively analyse which
payment solution works best for you, determine your preferences in terms of communication or which insurance
products you need or whether you are eligible for a commercial discount.
 PERSONAL PARTICULARS
Your family situation Marital status, make-up of your household, relationships.
Your overall financial
situation
CG Bank can give you sounder advice if it is apprised of your overall financial situation (your total assets, real
estate you own, etc.).
Your job of work Your education, occupation and work experience.
‘Key moments’ in your
life
The important phases in your life (past, present and future). Like getting married, living together, building a
family, plans for the home or the death of a child, parent or your spouse.
Your lifestyle Things like leisure activities and interests, club memberships, your home environment and property owned by
you.
Your feedback Comments and suggestions, past complaints. These can definitely help CG Bank to provide you with a better
service in the future.
Your risk profile CG processes your investor profile in order to assess, for example, whether a given investment is appropriate
for you. When other information is added such as age and investment horizon, CG can also process your risk
profile and determine how you cope with investment losses, so that it can provide even more targeted
investment advice.
CG may also process your fraud profile, credit risk profile or insurance risk profile, and other profiles for
Your health data CG processes health details, for example when providing tax and legal opinions or financial planning advice or
for taking out life insurance. If it intends to do such data processing, CG procures your separate consent.
Naturally, strict procedures apply to how this health data is processed.
Your biometric data CG processes your biometric data for more efficient and accurate identification, for example as part of the
customer onboarding process, for instance by taking a photograph or short video clip. If it intends to do such
data processing, CG procures your separate consent. CG only retains biometric data for a limited period of
time after use.
4.2 Data from third parties
CG Bank NV sometimes processes information that is a matter of public record.
• This might include data that are subject to a reporting duty such as you being appointed a company director;
• Data you personally place in the public domain such as information on your website, in your blog or via your publicly accessible
social media profile, information publicly available on the Internet, or information about you that CG Bank NV has obtained from
third parties (e.g., family members);
• Data that is in the public domain, say, because it is common knowledge in your area or because it has appeared in the press.
Information from sources such as the companies register and Graydon also fall into this category.
CG Bank NV may also receive personal data via third parties, for example, but not exclusively, by buying it or obtaining it from the
Belgian Land Registry (Kadaster) or from companies such as Blacktiger,, HIS Markit Group Limited, GIM or Graydon, business
organisations, etc. that are responsible for making sure that they gather the relevant information lawfully and pass it on to CG.
In addition, CG receives personal data from third parties on the instructions of its customers (e.g., account information from an
account held at another bank in connection with the provision of account information services).
CG uses that publicly available data and information from third parties for all processing for all purposes set out by CG Bank NV
in this data protection statement.
4.3 Your current location can be important
If CG Bank NV wants to identify your location (i.e., geolocate you), CG will always inform you accordingly and will ask for your
consent where appropriate, for instance when you visit certain pages on its websites or if you use a CG app or technology such
as beacons.
CG Bank NV may send you a message for which your location is important. Or, if you’re at a CG event, the background in the 
Public
CG Mobile app might be modified accordingly, for example. It’s also possible that when you enter a shop, the CG Mobile app will
draw your attention to the fact that in this shop you can pay using MobilePay.
In order to offer you this service, CG may use a geolocation service provider, such as Google. Google has a privacy policy of its
own. You can read it in detail at www.google.com/policies/privacy. We recommend that you take the time to read it. CG Bank NV
can also use the details of your location to construct global models and analyses.
Moreover, we are aware of what your location is on the basis of things like your IP address and your telephone’s technical readings.
This information can also be important in relation to things like detecting credit card fraud and improved data protection.
4.4 CG can process information your share with its staff
When you contact CG Bank NV staff at a branch or by telephone, chat or via Kate, this may be registered:
• to constitute a record of contacts between bank and customer;
• so that there is a (short) record of the contact;
• to enable staff to prepare ‘to do’ lists of tasks identified during the conversation;
• to provide you with better service in the future.
Even if you are not a customer, CG Bank NV will store the information you provide. That information can be used if you
subsequently become a customer.
In adopting this approach, CG Bank NV seeks to avoid your having to constantly provide the same information or answer the same
questions. It also allows CG to improve continuity in the services provided to you.
4.5 Monitoring CG correspondence in written form
If you contact CG Bank NV by e-mail or have digital communication channels that are used by CG Bank NV (e.g., CG Touch or
the CG Mobile app), it can use these channels to send you mandatory and official notices, in which case CG will notify you by
push notification.
CG works on the assumption that correspondence sent to staff members in their capacity as CG employees (at a branch or on
its fax or to a job-linked or personal CG e-mail address, etc.) is business-related and that CG is entitled to read it in the context
of:
• their duties;
• the production of evidence;
• workplace checks;
• security;
• fraud prevention;
• service optimisation and/or continuity, including the use of automated text analysis and editing to help CG staff correspond with
you quickly and efficiently.
4.6 Recording telephone, video and chat conversations
As a customer, you have a variety of ways to get in touch with CG. For instance, you can contact our commercial staff in the
branch network or at CG Live, contact centres and helpdesks, Private Banking branches, our inheritance experts, the Bolero Call
Centre and the dealing room.
Various applications can be used for this purpose. For example, you can call a CG employee, in certain cases you can start a
chat or you may receive an invitation to an online meeting (e.g., in Microsoft Teams). When attending an online meeting, you always
have the option to share your screen or enable your camera at your own discretion.
CG Bank NV may listen in to or record conversations. You will be informed of this at the start of the conversation (e.g., verbally or
in a pop-up message on your screen). By taking part in a telephone or video call, you expressly agree to it possibly being recorded.
CG listens in to or records conversations for various purposes:
- For training and coaching of staff or to improve the quality or security and monitoring of processes. These recordings are kept for
a period of one month; due to technical reasons, they may be stored in our back-up files for slightly longer.
- Production of evidence:
o In the context of legal duties intended for the protection of investors (MiFID II), CG Bank NV is required to record
and retain telephone conversations and electronic communications that could result in transactions in investment
products. CG Bank NV therefore records the conversations and electronic communications of staff whose work
duties relate to investments. If you talk to these experts, specialists or relationship managers or communicate with
them electronically, we record it. For evidential purposes and in order to comply with the legal obligations under
MiFID II, CG Bank NV keeps these recordings for ten years. If a dispute arises, CG will keep them for as long as
it needs to defend itself. You can request a copy of this recording.
o CG attaches a great deal of importance to secure online banking. To that end, CG set up the Cybersecurity
Service Secure4u, which is available 24/7. There you can report (alleged) abuse, after which CG will investigate
the report and possibly contact you by telephone. CG may then ask you, for example, to lodge a complaint with
the police. CG also records this telephone call for any subsequent juncture.
- Service provision:
o CG Bank NV may also use automated analyses of conversations to speed up and improve its services. Telephone, 
Public
video and chat conversations, for instance with Kate, together with other communications and the emotions
expressed in them, can then be used in the development and training of artificial intelligence. Artificial intelligence
could ultimately allow written or spoken customer communication to be fully automated. Artificial intelligence can
support CG staff and increase CG’s ease of access. The link to personal data is severed as quickly as possible
when developing and training artificial intelligence. To check and improve the quality of verbal chat conversations
with Kate, CG converts the conversation into text. CG only keeps the original conversation for one month and
the anonymised transcription for one year.
4.7 Temporary storage of security camera images
CG Bank NV may use CCTV in and around the offices and premises where it operates. In the case of security cameras, CG
Bank NV observes the special rules that apply. If a security camera is present, CG informs you by means a clearly visible sticker,
for instance. In addition, CG Bank NV in all events adheres to the ‘besafe’ guidelines issued by the Security & Prevention General
Directorate of the Federal Public Service for the Interior (www.besafe.be).
CG generally keeps images recorded by security cameras in and around CG Bank NV premises (identified with a sticker) for no
more than one month. They may be kept for longer:
• if the recorded images serve as evidence of certain dealings or may depict a criminal offence or unruly behaviour;
• as evidence of damage or in order to identify an offender, trouble-maker, witness or victim;
• where a right of access is exercised, for as long as necessary to respond to the request;
• at locations that present an increased security risk, in which case the period is three months.
• If you have questions about CCTV images, you can contact the CCTV Contact Centre at Egide Walschaertsstraat 3, 2800
Mechelen, or at CCTV@kbc.be.
4.8 Transaction details
4.8.1 Specific services CG provides to you based on your transaction data
CG offers you account information services and payment initiation services, giving CG access to the balance and transaction
information of the accounts you hold with another bank. This is subject to the condition that such payment accounts are accessible
online. The account information, which only becomes accessible after you have activated the service, is used by CG to carry out
the requested service. If there are difficulties in connecting CG to the account-holding bank, limited account information may be
exchanged to resolve those problems.
CG may also use the transaction data obtained to carry out its anti-money laundering and embargo inspections, to monitor and
prevent payment fraud and to draw up the required reports. Such activities are mandatory, in accordance with applicable legislation.
If you consent to the use of transaction details from other banks, CG may also ultimately use this data from other financial
institutions to benefit its commercial and service models and its profiling, such as for providing the proactive version of Kate (if you
opted to use this). Based on that data, the bank can offer you an even more accurate and personalised service. You may withdraw
this consent at any time by toggling ‘Data from other banks’ under ‘Profile’, ‘My privacy’, in the CG Mobile app.
4.9 More than just your own personal data may be involved.
For instance, if you have a company or children, for example, you agree that CG Bank NV can also keep a record of those
relationships and process the details of any associated persons. We may also process personal data of parties we have no direct
relations with but who are involved in a relationship with us, such as being the beneficiary under a life insurance policy or as usual
driver under a car insurance policy or as witness to an accident. If you provide information about your family members or related
persons, we ask you to inform them of that fact (e.g., of a change of address that you’ve forwarded to us). If needed in order to
properly provide services to your family, we may also report limited details on you to your family members, so as to avoid overinsurance for your family.
If you provide information about your family members (e.g., a change of address) or related persons, we ask you to inform them of
that fact. For example, when you create a group in the ‘Split group expenses’ payment service, you are required to inform the
people you invite to the group that you will share their phone number with CG for this purpose.
This has the following implications for legal entities:
• Please note that legal entities may only provide us with personal data of natural persons associated with them if those persons
are sufficiently informed of this and, where necessary, have given their consent
• The legal entity accordingly indemnifies CG Bank NV in respect of all liability in this regard (vis-à-vis those concerned). For
example, the company is responsible for complying with the data protection legislation when it submits lists of users for online
applications or of beneficiaries of employee profit-sharing bonus programmes.
5 Part 5: About cooperation, confidentiality and security
5.1 Not everyone at CG can look at your data
Only persons with appropriate authorisation can access personal data, and then only if that data is relevant to the performance of
their duties.
In principle, within CG Bank NV and the CG group, your personal data will only be processed and viewed by certain departments
that:
Public
• you have, had or want contacts or contracts with;
• need to be involved in the provision or aftercare of services;
• fulfil legal requirements (at group level) or requirements imposed by regulators or stemming from corporate governance
principles;
• are tasked with preventing fraud, including money laundering, by employees and customers.
Some examples:
• When we are notified of the death of a customer of CG Bank NV who is also a customer of other CG entities in Belgium, we also
inform those other entities.
• For direct debit mandates, you may take certain steps to block them (e.g., blocking the instruction or imposing a maximum limit).
If you take such a step in respect of a direct debit in favour of a CG company, CG Bank NV may inform that company of the
fact. The CG company concerned can then more effectively assess the status of your direct debit instruction.
The individuals who are authorised to consult your data are moreover bound by a strict professional duty of confidentiality and must
abide by all technical instructions to ensure the confidentiality of your personal data and the security of the systems in which the
data is held.
5.2 Data processed by CG data processors
CG Bank NV uses the services of several processors to process personal data. These are companies that process data on the
instructions of CG Bank.
5.2.1 Processors within the CG group
For the processing of personal data, CG Bank NV makes use of a processor within the CG group based in the European Union,
namely CG Group NV and CG Global Services NV. Processing is carried out in Brno, Sofia or Varna, for instance, by the Shared
Services Centre, branches of CG Global Services NV in the Czech Republic or Bulgaria.
Some of the data processing performed by CG Group NV and CG Global Services NV on behalf of CG Bank NV relates to
oversight and support functions (at group level) such as financial reporting, the compliance function, the internal audit function, the
inspection and risk function, anti-money laundering checks, complaints management, marketing support, support for invoicing,
money transfers, credit processing and ICT management for the CG group.
For ICT management, CG uses CG Global Services NV, sometimes in conjunction with other processors within and outside the
CG group.
CG also uses the services of 24+ NV (www.24plus.be):
• as a contact centre through which you can get in touch with us;
• as a contact centre to get in touch with you on behalf of CG for the purpose of making an appointment or conducting a
satisfaction survey, to inform you about ‘personalised information’ and to invite you to make a choice;
• to log data into CG apps;
• for administrative processing on the instructions of CG;
• to provide information to the tax authorities and the police;
• to conduct an advisory meeting following a death, and to register next of kin, heirs, legal representatives and beneficiaries in the
persons database..
Examples include making appointments for branches, answering telephone enquiries, handling e-mails, and processing and
executing online applications.
CG works together with Everyone Invested, a subsidiary of CG Asset Management NV, to analyse the conformity of individual
investment portfolios with the CG Investment Strategy. CG exchanges anonymised data regarding the investment portfolios with
Everyone Invested for this purpose.
5.2.2 Processors and third-party joint controllers characteristic of the financial sector
CG Bank NV uses specialist third parties in Belgium and abroad to perform some processing operations, such as payments.
This concerns:
• SWIFT (www.swift.com) with headquarters in Belgium and establishments in many countries, for the global message exchange;
• Equens Worldline SE (www.equensworldline.com), Mastercard (www.mastercard.com), Idemia (www.idemia.com) and, in
certain cases, Bancontact Payconiq Company NV (www.bancontact.com) for payments and (credit) card transactions worldwide;
• Custodians and subcustodians of financial instruments worldwide that are subject to local financial regulations;
• institutions for the settlement and clearing of payments and securities transactions, such as the CEC (www.nbb.be) (payment
systems) and Euroclear;
• transport companies (for cash and other valuables) and security firms;
• consumer credit intermediaries (i.e. instalment loans);
• entities that support CG in complying with its anti-money laundering obligations, for example by developing and using money
laundering detection models;
• Batopin NV(www.batopin.be), a network of bank-neutral ATMs, also for updating your electronic ID card details;
• Appbot Pty Ltd (www.appbot.co), for monitoring and analysing feedback from users of CG apps;
• Renta Solutions NV for typical leasing platforms in automating vehicle ordering, vehicle registration and delivery (Order Register
Deliver), maintenance, electronic invoicing (REI rS Electronic Invoice).
5.2.3 Other processors
CG Bank NV may also directly or indirectly (e.g., through CG Group NV) engage the services of other processors, such as
Public
• consultants;
• third-party business introducers to fulfil its general duty of vigilance as laid down by law:
− The obligation to identify and verify identities
− The obligation to identify the customer characteristics and the purpose and nature of the business relationship
− The obligation to update information
• market research agencies such as Ipsos (www.ipsos.com), Profacts (www.profacts.be), GFK (www.gfk.com), Check market
(www.checkmarket.com.), iVOX (www.ivox.be) and Intrinsiq (www.intrinsiq.be), for issuing invitations and carrying out surveys;
• ICT and ICT security service providers like Microsoft, Cognizant, IBM, Amazon and HP, and specialist fintech and artificial
intelligence companies such as Onfido for facial recognition during the customer onboarding process;
• marketing and communication agencies and similar companies, whereby CG uses personal profile information on you that is
held by them, along with the data it holds on you, to be able to make targeted offers to you via their channels (e.g., Google,
Facebook, etc.);
• companies that support CG in identifying and analysing your user behaviour in our apps and on our websites (e.g., Adobe,
Dynatrace). In preparation for the analysis of Adobe Data Analytics, CG may rely on the services of Amazon Web Services –
Cloud Computing Services. The transfer and processing of personal data from, to and in Amazon Web Services is encrypted;
• companies specialising in information archiving and access, such as Doccle (Doccle stores information on all our customers,
including those that haven’t opted for digital record-keeping). Doccle uses Amazon Web Services – Cloud Computing Services);
• companies specialised in scanning digital documents in order to digitise files with associated info.
• companies specialising in solvency investigations;
• companies specialising in specific services that CG uses when offering services to its customers, such as Meeco for offering
the Digital Safe in the CG Mobile app;
• printers for printing and the addressing of news magazines, cheques and transfer forms, badges, among other items;
• freelance translators and translation agencies;
• social media management tools (CX Social);
• sworn real estate experts;
• communications agency Motisha BV www.motisha.com;
• companies providing Platform as a Service (PaaS) and Software as a Service (SaaS) in the cloud, such as:
− the Microsoft Dynamics CRM app used by CG to maintain customer overviews;
− VEE24’s video chat app for enabling digital communication with CG;
− the storage services of Microsoft Azure or Amazon, on which CG can place its own platforms or software that process and store
your personal data;
− security services that screen Internet or e-mail traffic with CG for cyberattacks or phishing scams;
− TreasurUp, with whom CG exchanges the contact details of company representatives to enable forex transaction analysis;
− Nomios Belgium NV to set up a secure network connection between CG entities worldwide based on SD WAN technology;
− applications that facilitate and automate call recording, where appropriate, for instance as offered by Luware.
− …
5.3 Processing by other data controllers
5.3.1 Other controllers
As a data controller, CG may – in addition to using other processors – use other service providers or third parties, such as lawyers,
notaries public or doctors, who themselves are data controllers.
This is, for instance, the case for CG Securities Services, which is a part of the CG group. CG Securities is the controller of your
personal data when providing services in its capacity as a broker or custodian of securities. To this end, CG Securities Services
works with other third parties such as asset managers and private bankers. They in turn offer their own services, such as investment
advice, and therefore also act as a controller of your personal data. When that is the case, another – usually shorter – data protection
statement may apply since the service is also more limited. If you purchase a service from CG that is covered by a shortened or
non-standard data protection statement, you will be duly advised of this. The most recent version of the statement applying to
services provided by CG Securities Services can be viewed at www.kbcsecurities.com.
CG can outsource the collection of arrears on, say, a loan, to specialised companies that themselves are data controllers.
CG also distributes its own products and services in conjunction with third parties that refer their customers to CG, for example
for a loan. They do not act as intermediaries in that regard and only pass on to CG the personal data needed to prepare tenders
or simulations. The third parties are responsible for passing on the personal data. The third parties have access to a dashboard to
track purchases of products.
As a bank-insurer, CG Bank NV cooperates with CG Insurance, with both companies acting as data controllers with respect to
personal data. Specific information regarding the controllers for the direct marketing domain is provided under 3.5.
CG can itself act as a third-party business introducer for, for example, Payconiq, Belgian Mobile ID (itsme). CG then processes
personal data as data controller. CG transfers this personal data to the third party. Likewise, a third party may act as a third-party
business introducer for CG.
When a mortgage expires and mortgage renewal is needed, CG will call upon the services of a notary public. CG provides the
notary public with the national registration number(s) of the borrower(s), a copy of the original registration model, the first
authenticated copy of the deed or other useful information that allows the notary public to renew the mortgage registration.
When, as a merchant, you want to install an electronic payment terminal and you ask CG to act as an intermediary in that regard,
CG will pass on your contact details to Equens Worldline SE.
Public
In certain specific cases, processors whose services CG engages (see 5.2.3) may nevertheless act as controllers for the
processing of CG data. One such case is Microsoft, which also processes personal data for activities beyond the limited scope of
a processor, such as billing, internal remuneration, internal reporting and internal organisation, fraud prevention and security of
their services, service improvement, financial reporting, and compliance with legal obligations applicable to them. CG has entered
into the necessary contractual arrangements with Microsoft to ensure compliance with the relevant data protection safeguards.
CG can also cooperate with third parties such as Xerius Ondernemingsloket vzw. Xerius helps you to start up a business. During
that process, Xerius may put you in touch with CG to get your business account opened. Xerius then sends identification details
to CG. Xerius does this with your consent.
5.3.2 Voice Assistants
As a customer, you can ask for your balance and transactions via so-called virtual ‘Voice Assistants’ (Alexa, Google Assistant, etc.).
In order to do this, you must first give CG your consent to transfer the necessary account information to that service. The further
processing, such as the electronic pronouncement of your balance by the service, is carried out entirely by the third party that
provides the service to you. CG is not responsible for that.
5.4 CG Bank NV processes your data on behalf of third parties
CG acts as a processor of your personal data on behalf of third parties further to the execution of orders at a number of stock
exchanges or when acting as a broker. This is, for instance, the case for CG Securities Services. CG acts as a processor for
certain third parties with respect to the Additional services as set out under 3.2. CG Bank NV acts as a processor for CG Insurance
NV for the distribution of their products.
5.5 CG Bank NV takes specific measures to protect your data
CG Bank NV ensures that strict rules are followed and that the processors concerned:
• only have the data they need in order to perform their tasks;
• have given CG Bank NV a commitment that they will process this data securely and confidentially and only use it for carrying out the
instructions given to them.
CG Bank NV will not be liable if these processors (according to law) disclose customers’ personal data to local authorities or if
incidents occur at those processors despite the measures they have taken.
CG ensures that the European data protection standards for personal data are applied worldwide within companies belonging to
the CG group and their branches. CG also ensures that companies and corporate branches of the CG group take appropriate
measures to protect the data of legal persons.
CG Bank NV takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or
being processed by, unauthorised parties or being accidentally altered or deleted.
Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself, and extra checks
are also carried out by a specialist department in this regard.
To make online banking and investment services as secure possible, security experts at CG continuously analyse cyber-criminal
activity so that they can hone the relevant security measures accordingly. Find out more at www.kbc.be/secure4u.
Together with you, we need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we
must aim to use a different means of communication or to limit the amount of information sent.
CG websites and apps may contain links to websites or information of third parties. CG Bank NV does not check such websites
or information. Parties offering these websites or this information may have their own privacy policies in place, which we advise you
to read. CG is not responsible for the content of those websites, their use or their privacy policy.
CG Bank NV sometimes facilitates the publication of information (including personal data) via social media such as Twitter and
Facebook. Bear in mind that these channels have their own terms of use, with which you must comply. Publishing data on social
media may have (undesirable) consequences, including for your privacy or that of persons about whom you share data. You may
not be able to delete such published information quickly. You should therefore assess the consequences yourself as the decision
to disclose data on such media ultimately lies with you. CG does not accept any responsibility in that regard.
5.6 CG does not keep your data for ever
CG uses your personal data where CG has a clear aim in mind. Once that aim no longer exists, we delete the data.
The period for which your personal data has to be retained is defined by law (usually till ten years after the end of a contract or
execution of a transaction. For commercial claims it is 30 years after the end of a contract or execution of a transaction). The period
can be longer where needed for the exercise of our rights. If no retention period is stipulated by law, it can be shorter.
For some applications, a more extended time horizon may be necessary, such as for carrying out surveys and risk and marketing
models. Some insights only get clearer once they are viewed over a longer time span. This can result in the retention period being
extended by ten years on top of the standard periods. As has been stated, CG will in all cases sever connections to individuals as
quickly as possible and work only with aggregated or anonymised data.
Information that you personally registered in the CG Touch application ‘Profile yourself’ or that was registered at the branch, with
the agent or in CG Live, for example, is retained by CG for five years.
Personal data on prospects is used by CG for a maximum of five years unless, in the meantime, there has been contact with the
prospect. In that case, a new maximum five-year period starts. Prospects can always ask for their personal data to be removed. 
Public
5.7 Data transfer outside the EEA
The law in some countries outside the EEA (like the United States of America or India) doesn’t always afford the same level of data
protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate
level of protection, CG Bank can cover the deficiency by, say, agreeing the required contractual guarantees with those third parties
(such as a model approved by the European Commission), providing control mechanisms and implementing technical and
organisational measures.
The transfer of personal data to countries outside the European Economic Area or to international organisations was screened by
CG. This transfer either takes account of the European Commission’s list of safe countries or is based on reasonable and sufficient
security measures or falls under a specific derogation from the GDPR.
The most important aspects of international data transfer are explained in more detail below. Feel free to e-mail
mypersonaldata@kbc.be if you have any questions.
5.7.1 Personal data transfer within CG
CG may export some personal data relating to Corporates (e.g., contact details of representatives) to its foreign branches in Hong
Kong, China, Singapore and the US, provided the corporate client also operates in the country in question.
5.7.2 Processors outside the EEA
CG always opts for the processing of personal data to take place within the European Union. Given the nature of certain processes
(for example, when round-the-clock support is required), in some cases personal data may be transferred to processors outside
the EEA.
Even if the data centre is located within the EEA, access from outside the EEA may still be possible in some cases (e.g., in case of
technical problems, or when round-the-clock support is required). This is also considered data transfer outside the EEA.
For some processes, the processors’ data centres may be located outside the EEA or accessed from outside the EEA, as is the
case for the United States of America. Some examples (as at 16 September 2022):
Processor Data categories
Microsoft Basic identification and contact details,
data relating to product ownership and
product usage, etc.
AWS Basic identification and contact details,
data relating to product ownership and
product usage, financial data, etc.
Adobe Basic identification and contact details,
data relating to product ownership and
product usage, financial data, etc.
5.7.3 Data transfer to controllers outside the EEA
Similarly, when data is transferred to another controller in a country outside the EEA, these transfers are screened by CG and the
necessary measures are applied.
Some examples of controllers outside the EEA that may receive personal data from CG (as at 16 September 2022):
Controller Data categories Country
Google (see 5.3.2) Basic identification and contact details,
data relating to product ownership and
product usage, etc.
United States of America
5.8 CG thinks before it answers queries from outside parties
5.8.1 Compliance with confidentiality obligations
As CG Bank NV has to comply with its confidentiality obligations and with the data protection legislation, it may only answer queries
from third parties if they arise pursuant to a legal requirement or a legitimate interest, doing so is a prerequisite for performing the
contract or the data subject has given their permission.
In the last case, it actually advises requesting the information directly from the data subject.
CG Bank NV declines liability if, as a result of foreign legal obligations, the lawful recipients of personal data require to pass
personal data about customers on to local authorities. Or if they process personal data without an adequate level of security.
Public
5.8.2 Ombudsfin must apply to CG Complaints Management
CG Complaints Management provides answers to the questions posed by Ombudsfin, the ombudsman for banking.
5.8.3 Third parties must contact the ‘Third-Party Enquiries’ department.
If you as third party have queries about customers, for example because you work for the police or are a notary public or lawyer,
you can contact CG’s Third-Party Enquiries department, Brusselsesteenweg 100, 3000 Leuven. This specialist department will
answer your query subject to bank secrecy obligations and the privacy laws. CG Bank branches and other departments will
therefore refer you to that department.
5.9 You can also help in protecting your data
There are certain aspects of (technical) data processing over which CG Bank has no, or at best insufficient, influence and for
which it cannot guarantee total security. Examples include the Internet or mobile communications (such as smartphones).
If hackers are active, CG Bank NV does not always succeed in defeating their cyber-attacks in time. It sometimes does not even
know that it is happening, for example if a hacker manages to obtain your identification details by installing illegal software on your
computer (spyware) or by creating a fake website (phishing). You will find more information on secure online banking at
www.febelfin.be (safe online banking).
CG Bank NV therefore suggests that you regularly take a look at the CG website for information on safe online banking:
www.kbc.be/secure4u. This site always contains the most up-to-date tips and recommendations to keep you secure online.
CG Bank NV – Havenlaan 2 – 1080 Brussels – Belgium – VAT BE 0462.920.226 – RLP Brussels – IBAN BE98 7300 0000 0093 – BIC KREDBEBB Member of the CG group Version of 02/05/2023