Privacy statement

The Triodos Bank privacy statement sets out your rights and the measures Triodos Bank will take to protect your personal data.

Triodos Bank values transparency and clarity. That’s why we’d like to inform you about how and why we collect, use, store and protect your personal information. We do this in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This statement applies to all personal data we process when you use our services, visit our websites, use the mobile app, or otherwise interact with us. It also details your rights regarding your information and explains how you can exercise those rights.

We take your privacy seriously and encourage you to read this privacy statement carefully to understand how we manage your personal data. Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.

Triodos Bank will periodically review and update this privacy statement. You can download a copy of our Privacy Statement here.

When you apply for a product or service, or when you contact us, we want to help you quickly and effectively. To do this, we need to know who you are. We use certain personal data for this purpose.

What does 'processing personal data' mean?

The processing of personal data includes all actions that can be done with information. Such as collecting, storing, viewing, sharing, transferring, and analysing data.

Who is responsible for your personal data?

Triodos Bank N.V. is responsible for processing your data. The Triodos group operates across Europe in Belgium, Germany, The Netherlands, Spain, and the UK. The Group headquarters is located at Hoofdstraat 10, 3972 LA, Driebergen-Rijsenburg, The Netherlands. The company is registered under Chamber of Commerce number 30062415. Please visit our website for more information about us and how to contact us.

We have appointed a Data Protection Officer (DPO) to help ensure that your data is protected in line with GDPR requirements. If you have any data protection question that our website doesn’t answer, or if you want further information, please contact our data protection officer via: [email protected].

What personal data does Triodos process?

Triodos Bank may process different types of personal data depending on our relationship and the products you purchase from us.

Below is a complete list of the categories of personal data that we process. We illustrate each category with a few examples:

Personal Identification details

Information about who you are, such as first and last name, date of birth, country and city of birth, nationality and signature.

National identification numbers

A number or code given to you by a government authority to identify who you are, such as your passport details.

Contact information

Information about how we can reach you, such as your address and place of residence, telephone number and email address.

Communication preferences and consent data

Your choices about how and when we communicate with you, such as your preferences for receiving newsletters.

Contractual information

Information about the products and services we provide to you, such as contract numbers and types of products.

Financial & transactional information

Information about how you use our products such as your bank account number, transaction history, and who you paid or received a payment from.

Account access and technical data about the use of our website and mobile app

Information about how you use our online and mobile banking, such as your geo location, cookie information, IP address, device information and what services you use.

Customer interaction records

Information about your communications with us, such as recordings, summaries or transcriptions of phone calls and chat messages.

Socio-demographic data

Information about your personal and economic background, such as employment details, your household composition, your financial situation, and other background information.

Data from external sources

Information that we receive from other parties. For example, data from the Land Registry, the trade register of the Chamber of Commerce, Credit Reference agencies or from public sources such as the insolvency register, trade information agencies, newspapers or the internet.

Visitor information

Information that we receive when you visit one of our offices, such as your license plate number, or recordings from our CCTV cameras.

Special categories of personal data

The GDPR categorises certain sensitive personal information as 'special category’ personal data. This includes for example, information about your health, political opinions, or sexual orientation. Biometric data, such as facial recognition and fingerprints, are also categorised as ‘special category’ personal data.

Triodos Bank will only process this type of data if there is a legal obligation to do so, or if it is required to provide (or continue to provide) a product or service to you in accordance with legal or regulatory requirements. For example, we record biometric data when we ask for a photo or recording of your identity document or your face to identify you. We use this to determine the authenticity of your identity document or, for example, to give you (re)access to your bank account(s) in the mobile app.

Why is your personal data required?

When you apply for a product or service with Triodos you will need to provide certain personal data. This enables us to process your application, and to provide the product or service you want on an on-going basis. Before we provide products or services to you, we undertake checks for the purpose of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

If you choose not to provide your personal data

If you choose not to provide us with, or choose to restrict processing of, the information we need it may prevent us from meeting our contractual and legal obligations. In that case we are not able to provide you with the product you have applied for. This situation could result in the cancellation of a product or service you have with us. Or the termination of our contract with you.

Processing based on consent

For some of the services that we provide, we process your data with your consent as the lawful basis. You can withdraw your consent for these services at any time. This will mean that you opt out of receiving (parts of) those particular services, but it has no consequences for other contracts or services.

How will we use your personal data?

General Data Protection Regulation (GDPR) legislation only allows the processing of personal data if one or more conditions are met. This is known as a lawful basis for processing. The four bases that Triodos uses are:

You give your consent to process your data
We use data to perform a contract with you
We need data to comply with a legal obligation
There is a legitimate business interestfor Triodos in using the data. This interest must be balanced against and not override your fundamental rights and legitimate interests.

What do we use your personal data for?

To identify you so we can be sure it's you

When you apply to become a customer, we want to make sure it's you. To do this, we may ask for identification documents and take a short video recording of your face. We use a photo or video of your identity document to (re)identify you and to verify the authenticity of the identity document. From your facial image, several facial features are compared with the photo on your identification document.

To provide our products and services and maintain an optimal relationship with you

For example, to process your product request, to manage products, to be able to execute payment orders, to contact you or to keep track of your data and to change it if necessary.

Based on your use and your feedback, we can see which products or services are of interest to you and we can further develop our products or services.

To ensure the safety of our customers, ourselves and the financial industry, to reduce risk and prevent fraud

For example, to investigate possible criminal activities. But also, to ensure that we only provide responsible loans and to protect our clients from investment risks. We also use the data to evaluate and improve how we can prevent financial crime.

To comply with regulatory or legal obligations

For example, to identify new customers and to be able to take into account changes in your situation (duty of care). In certain cases, we are also obliged to pass on your data to governmental organisations, such as the tax authorities or the judiciary.

To improve our services

For example, to test new or existing products or to develop new ways of providing services. In this way, we can make our services more efficient and suitable for you.

For promotional and marketing purposes

We will keep you informed with emails, newsletters and offers on our website. We also use personalised advertisements on websites and social media.

Marketing communications

From time to time, we will send you information about our products and services and the projects we finance. We are careful not to send you information or additional information about our products and services, when you do not want it. You can choose what communications you want to receive when you apply for or open a product or service with us. And you can change your communication preferences in Mobile and Internet Banking or by contacting us.

You will also be provided with an opportunity to stop receiving marketing communications from us through an ‘unsubscribe’ link in any emails we may send you.

If you are not yet a customer of Triodos and want to receive marketing communications from us, you can request this through our website or by calling our contact team. You will be asked to provide us with your contact details and to give your consent to Triodos to use your personal data. You may withdraw your consent and unsubscribe from the marketing communications whenever you want. We will not give your personal data to anyone else for marketing purposes (other than those described below in ‘Who do we share your personal data with and why’) without informing you and obtaining your consent.

Personal data used for marketing purposes consists of the personal data we have received from you, and data we have collected when you use our products or services. We only use your personal data to send you marketing communications if we have either a legitimate interest or your consent. A legitimate interest in a marketing context means that we will only send you marketing communications in relation to products or services that may be of interest to you based on what we already know about you. Our legitimate interests will always be balanced with your interests, and you can ask us at any time to stop sending you marketing communications.

How do we obtain your personal data?

You provide most of the personal data that Triodos Bank processes yourself. For example, when you interact with us, request something, or when you consent to having your online activity recorded. In addition, we receive data from other parties with whom we work, for example to carry out financial transactions.

Data that you provide to us yourself

We receive the personal data we collect from you, among other things, when you:

Apply for our financial products or services
Talk to us in person, by phone or via chat
Use our websites or mobile apps
Subscribe to a newsletter or other marketing messages
Send us emails or letters
Participate in interviews, customer surveys, competitions, or promotional activities
Visit our office

Information that other parties provide to us

In certain cases, we receive information from companies we work with. Data sharing only takes place when there is a lawful basis for processing. This could include the following:

Companies that introduce you to us
Card providers such as Visa
Credit reference agencies such as Experian
Financial advisors or representatives
Insurers
Fraud prevention agencies such as CIFAS (Credit Industry Fraud Avoidance System)
Public sources of information
Agents working on our behalf
A legal representative or family member
Market researchers
Government and law enforcement agencies

Cookies

Triodos Bank default position is that we will not disclose personal data to organisations outside of the European Economic Area (‘EEA’). However, where this is required we will inform you and confirm why we need to do this. When we do transfer personal data outside of the EEA, we make sure that the data it is protected at the same level as within the EEA by using one of these safeguards:

Transfer of data to organisations in non-EEA countries (or states or provinces of these countries) with privacy laws in place providing the same level of data protection as within the EEA;
Transfer of data to organisations that are part of “Privacy Shield” which is an international framework that sets privacy standards at a similar level as those of the EEA.
Putting a contract in place with the recipient ensuring that they will process the data with the same level of data protection as within the EEA.

For more information, please visit the privacy statements published in our local websites:

Automatic decision making

When you request a product or service through our website or mobile app, the decision-making about this request is largely automated. For this we use our own systems and those of external providers. This helps us to make fast, fair, efficient and correct decisions based on up-to-date information. These decisions may affect the products, services, or features we offer you now or in the future.

Good to know: at Triodos Bank, a decision is never based solely on automated systems. There is always a person involved to verify the decision.

Types of automated processing

Opening an account

When you open an account with us, we check whether the product or service is relevant for you. We do this based on the data you have provided and any reference information from external providers. We check that you or your business meet our requirements to open an account. This may include verifying your identity and personal information, such as your age, place of residence, nationality, and credit history.

Approving credit

When you apply for credit, we make a risk assessment to decide whether to lend you money. This assessment is based on the data from your application, external credit reference information and an analysis to understand your financial situation.

Tailoring products and services

We monitor financial activities to study and learn about our customers’ behaviour and needs. We make decisions based on what we learn to improve our service quality and products. We put customers with similar activities into groups called customer segments. The use of customer segments helps us to design products and services that better suit our customers’ need. And to market them appropriately and effectively to customers who are likely to be interested in them.

Protecting you from fraud

We monitor your personal or business account to identify whether you may have been a victim of fraud. If we identify that there is a risk of fraud, we may stop financial transactions and temporarily block access to your account while this is investigated. You will be contacted and kept up to date during this process.

Triodos policy on Artificial Intelligence in processing personal data

Our approach to Artificial Intelligence (AI) systems is guided by a commitment to ethical principles that prioritise human dignity, equity, and responsibility. We only use data for AI systems in a manner that is respectful of privacy and personal autonomy. We ensure that data is collected and used only for its intended purpose, and is managed in compliance with existing data protection regulations. Furthermore, we maintain a strong emphasis on human oversight throughout all AI processing that we would consider using. We currently use AI systems for the following purposes:

Assisting our co-workers in their tasks

We use AI systems that help our co-workers to perform their tasks, such as transcribing phone calls or supporting in the verification of your identity.

Creating insights for Triodos

We use AI systems to analyse patterns in customer information to better understand our customers and their needs. This helps us to improve our services and make better business decisions.

Creating insight for you

If you choose, our mobile banking app can show you personalised insights about your spending and saving patterns by analysing your transactions. This is an optional service which we only provide with your consent.

Who do we share your personal data with and why?

Triodos will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential (even when you are no longer a customer). Information we hold about you will not be disclosed to anyone unless:

We are legally obliged to share the information. This includes for instance sharing information with the tax authorities and law enforcement agencies such as the police.
We need to share the information in connection with legal proceedings, to obtain legal advice or for the establishment, exercise or defence of legal rights.
Sharing the data is required to protect our legitimate interests or the legitimate interests of someone else (for example, to prevent fraud).
You consent to the sharing of the data.
We share data with other companies because they perform administrative or other services on behalf of Triodos Bank. In that case, we will ensure that these companies handle data in the same way as we do ourselves.

Parties with whom we may share data:

Government agencies and regulators such as tax authorities. We share personal data with government bodies and regulatory authorities to comply with legal and regulatory requirements.
Judicial authorities, law enforcement bodies or disputes committees such as HMRC or the police. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. We only share information on the basis of an explicit request and if there is a legal basis for doing so.
Financial institutions. We share personal data to facilitate transactions and withdrawals and to facilitate our financial services.
Third-party payment service providers. under the revised EU Payment Services Directive (PSD2). We will only share your account information with a third-party payment service provider if you have given your explicit consent to do so.
Credit reference agencies such as Experian.We share personal data with organisations that collect and maintain information about consumer’s credit histories.
Fraud prevention agencies. We share personal data with fraud prevention agencies to help identify, investigate, and prevent fraudulent activities and other financial crimes. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years
Financial business partners. We may share personal data with companies that perform specialised services.
Companies that perform other services for us. For example, sending mail, drawing up reports and printed matter or performing calculations. In addition, we share data with companies that perform legal, control or advisory work.
Companies that support marketing activities. Marketing partners and agencies may be involved in creating and executing promotional campaigns.
Companies that are joint controllers such as Visa, Apple Pay and Google Pay. For some services, we may share personal data with organisations that jointly determine the purposes and means of processing your data alongside us. In these joint controller arrangements, we have clear agreements in place establishing our respective responsibilities for complying with data protection regulations, and either party may be contacted regarding your data protection rights.
If you are a Depository Receipt holder, we will share your information with parties responsible for registering Depository Receipts.

Stichting Administratiekantoor Aandelen Triodos Bank (SAAT) is responsible for the registration of the personal data of holders of depository receipts in Triodos Bank. SAAT cooperates with Triodos Bank for this registration.

SAAT and Triodos Bank have agreed with the company Captin BV (Captin) to take over this registration.

In connection with the listing and trading on Euronext Amsterdam of all depository receipts issued by SAAT that represent ordinary shares in the capital of Triodos Bank Triodos Bank and SAAT have engaged ABN AMRO for various banking services, including those of listing agent. These banking services include ongoing operational support, ongoing agent for organizing and inviting to any extraordinary or annual general shareholders’ meetings or extraordinary or annual meetings of depository receipt holders, as paying agent, and as agent representing SAAT in relation to the Nederlands Centraal Instituut voor Giraal Effectenverkeer B.V. (Euroclear Netherlands).

To ensure that your data is handled appropriately, we have data processing agreements in accordance with relevant laws and regulations.

Read more about the listing: Euronext Listing

Does Triodos Bank share your data outside of the European Economic Area?

Triodos Bank's default position is that we do not share personal data with organisations outside the European Economic Area (EEA). When we do transfer personal data outside of the EEA, we will make sure that it is protected at the same level as within the EEA by using one of these safeguards:

Transfer data to organisations in non-EEA countries with privacy laws that provide the same level of protection as within the EEA.
Put a contract in place with the recipient containing EU Model clauses (Standard Contractual Clauses) ensuring that they will process the data with the same protection as within the EEA.

Protection of personal data

Your personal data will only be processed on data centres and computers that are protected by security technology and comply with industry standards (e.g. firewalls, multifactor protection, access controls, etc.).

How long do we keep your personal data?

As long as you are our customer, we will process your data to provide the products and services you have asked for. If you interacted with us but aren’t a customer, or when you decide to leave Triodos Bank we will retain some or all of your data. We keep this data no longer than necessary for one of the following reasons:

To respond to your questions or complaints
To show that we have treated you fairly
To meet our ongoing legal and regulatory requirements

In principle, the retention period of your personal data is maximum 10 years. This depends on the nature of our relationship and any products and services you may have used. This period may be longer if we are unable to delete the data due to legal or regulatory reasons. In that case, we will take measures to ensure that your personal data is not further processed by us.

What are your rights and how do you invoke them?

Triodos Bank processes your personal data to provide you with a service. We handle this very carefully. Of course, you remain in control of your data. We are therefore happy to point out your rights.

The right to access your personal data

Do you want to know which of your data we use? In Internet Banking and the Mobile Banking app you can see which contact details we have. You can also view the transaction history and account details.

The right to rectification (correcting mistakes or inaccuracies)

It is important that all personal data we use are accurate, up-to-date and relevant. You therefore always have the right to correct and update your personal data. In Internet Banking and the Mobile Banking app you will find an overview of the contact details we use. Here you can also change this information.

The right to erase your personal data

You have the right to ask us to delete your personal data if:

This personal data is no longer necessary for the purpose for which it was collected
You withdraw consent and there is no other legal basis for processing your personal data
You object to us processing your personal data for direct marketing purposes
You object to us processing your personal data for the legitimate interest of Triodos Bank
You believe that your personal data is not being processed lawfully
Your personal data must be deleted to comply with legal requirements

However, Triodos Bank may refuse your request (in whole or in part) when we have compelling reasons. Particularly when it involves data that is necessary for us to comply with legal obligations (e.g. retention periods), or to fulfil our contractual obligations. We will delete your data when they are no longer required.

The right to restrict the processing

You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Triodos is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Triodos has the right to store your personal data while your query is investigated.

The right to data portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format.

The right to object to processing

You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. However, Triodos Bank is legally allowed to continue to process your data if one of the following can be demonstrated:

a. compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or

b. processing is required for the establishment, exercise or defence of legal claims.

Rights related to automated decision making, including profiling

You have the right to object to being subjected to decisions based solely on automated processing, including profiling. You can challenge any automated decision you are not happy with and can ask us to reconsider any decision that was made solely by automated means.

How can you exercise your rights?

Please contact us using the details included on our website if you would like to receive an overview of your data or if you would like to exercise any of your rights. You can do this at any time and free of charge.

The right to lodge a complaint

Please contact Triodos Bank in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website.

Are you not satisfied with your complaint handling? Then you can also appeal to Triodos Bank's Data Protection Officer via [email protected] Triodos Bank UK.

You also have the right to lodge a complaint directly with the Dutch Data Protection Supervisory Authority (Autoriteit Persoonsgegevens); please visit their website for further details on how to do this.

You also have the right to lodge a complaint directly with the local data privacy regulators. For more information please visit the privacy statements published in our local websites:

If you are an EU resident, you may also decide to lodge a complaint with your national Data Protection Supervisory Authority instead.

Glossary of technical and legal terms

Cookies

A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened. Cookies are used to identify users of webpages and to customise content where applicable.

Customer segments

Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.

Data Controller

An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.

Data Processor

An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.

Data Protection Officer

A position within an organisation responsible for ensuring that personal data is processed in accordance with EU and UK data privacy requirements.

Data Subject

An individual who can be identified from the personal data i.e. the person the data is about.

Direct Debit Scheme

A payment mechanism enabling electronic payments to be made once authorisation has been provided by the originator.

European Economic Area (EEA)

The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.

GDPR - General Data Protection Regulation

The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and came into force across the EU (including the UK) on 25 May 2018.

Lawful basis for processing

One of six allowable lawful bases for processing must be satisfied for Triodos to process your personal data. The six lawful bases are:

Consent - the individual has given clear consent
Contract - processing is necessary for a contract to be provided
Legal obligation - processing is necessary to comply with the law
Protect life - processing is necessary to protect someone’s life
Public interest - processing is necessary to perform a task in the public interest
Legitimate interest - processing is necessary for Triodos’ legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s data which overrides these legitimate interests

Legitimate interests

The business reason for Triodos to use your information. It must not conflict unfairly with your rights and interests. GDPR specifically mentions several examples of legitimate interests such as the prevention of fraud, marketing customers could reasonably expect to receive, or IT security for instance.

Personal Data

Any information relating to an identified or identifiable natural person (an individual).

Special Categories of Personal Data

Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.

Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing is required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data:

explicit consent
processing is necessary for meeting obligations under employment, social security and social protection law
processing is necessary to protect the vital interests of someone who is unable to provide consent
processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation
processing relates to personal data which has been made public by the individual
processing is necessary in relation to legal claims or judicial acts
processing is necessary for reasons of substantial public interest (with a basis in law)
processing is necessary in relation to health or social care (with a basis in law)
processing is necessary for public health (with a basis in law)
processing is necessary for archiving, research, or statistical analysis (with a basis in law)

Where one of these ‘legal bases for processing’ are used additional conditions under Schedule One of the DPA (2018) must also be satisfied.
Third parties Organisations external to Triodos who undertake services and activity on our request such as our business partners, suppliers and affiliates.

Privacy statement

What is personal data?

What does 'processing personal data' mean?

Who is responsible for your personal data?

What personal data does Triodos process?

Why is your personal data required?

About your data

How will we use your personal data?

How do we obtain your personal data?

Cookies

Automatic decision making

Who do we share your personal data with and why?

Does Triodos Bank share your data outside of the European Economic Area?

Protection of personal data

How long do we keep your personal data?

About your rights

What are your rights and how do you invoke them?

How can you exercise your rights?

The right to lodge a complaint

Glossary

Glossary of technical and legal terms

Main

Our impact

Banking

Investing and giving

We use cookies

What does 'processing personal data' mean?

Who is responsible for your personal data?

What personal data does Triodos process?

Why is your personal data required?

How will we use your personal data?

How do we obtain your personal data?

Cookies

Automatic decision making

Who do we share your personal data with and why?

Does Triodos Bank share your data outside of the European Economic Area?

Protection of personal data

How long do we keep your personal data?

What are your rights and how do you invoke them?

How can you exercise your rights?

The right to lodge a complaint

Glossary of technical and legal terms