1. About this Privacy Statement
This Privacy Statement applies to ING Bank (Australia) Limited (ABN 24 000 893 292) and ING Bank N.V., Sydney Branch and aims to explain in a simple and transparent way what personal data we gather about you and how we process it. It applies to the following people:
All past, present and prospective ING customers. We are legally obliged to retain personal data about you, also for a certain period once the relationship has ended, in compliance with 'know your customer' regulations.
Anyone involved in any transaction with our bank, whether it's in your personal capacity or as a representative of a legal entity (for example, a company manager, agent, legal representative, operational staff, etc.).
Non-ING customers such as payees or the contact persons of corporate clients.
'Personal data' refers to any information that tells us something about you or that we can link to you. This includes your name, address, date of birth, account number, IP address or information about payments you've made from your bank account. By 'processing' we mean everything we can do with this data such as collecting it, recording, storing, adjusting, organising, using, disclosing, transferring or deleting.
You share personal data with us when you become a customer, register with or use our online services, complete an online form, sign a contract, use our products and services or contact us through one of our channels.
We also use data that is legally available from public sources such as debtor registers, land registers, commercial registers, registers of association and the media, or is legitimately provided by other companies within the ING Group or third parties such as our customers, credit agencies or government departments. Our Social Media User Terms (https://www.ing.com.au/pdf/Social_Media_User_Terms.pdf). apply to your use of ING's social media sites or facilities. If you engage with us on any of our social media channels, you agree to be bound by these terms.
2. The types of data we collect about you
The personal data we collect includes:
Identification data, such as your name, surname, date and place of birth, ID number and the IP address of your PC or mobile device.
Contact details, such as your mobile phone number, telephone number, email address and residential address.
Transaction data, such as your bank account number, deposits, withdrawals and transfers related to your account.
Financial data, such as invoices, credit notes, payslips, payment behaviour, the value of your property or other assets, your credit history, credit capacity, your previous or current insurance, financial products you have with ING, whether you are registered with a credit register, payment arrears and information on your income.
Socio-demographic data, such as whether you are married and have children
Online behaviour and preferences data, such as the server or IP address of your mobile device or computer, the date and time of pages you visit on ING websites and apps, documents downloaded, the site you visited prioir to visiting our website, the browser you are using to access our resources, if you have visited our website before and tracking user preferences.
Data about your interests and needs that you share with us, for example when you contact our call centre or fill in an online survey.
Audio-visual data, such as surveillance videos at ING branches or recordings of phone calls to our customer service centres.
We do not record sensitive data relating to your health, ethnicity, religious or political beliefs, or criminal record unless it is strictly necessary. When we do, it is limited to specific circumstances, for example, if you apply for certain insurance products or if you instruct us to pay a membership fee to a political party. We are legally obliged to keep a copy of your passport.
With your explicit consent or if required or allowed by law, we may collect your genetic or biometric data (your fingerprint, voice or facial features) which may be used to verify your identity or use it as an extra means of security in apps when you choose for such authentication to authorise transactions.
We only collect data about children if they have an ING product or if you provide us with information about your own children in relation to a product you buy or apply for.
3. What we do with your personal data
We only use your personal data for legitimate business reasons.
Administration. When you open an ING account we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you as a customer. We also need to know your address or phone number to contact you.
Product and service delivery. We use information about you to assess whether you are eligible for certain products and services such as a current or savings account, mortgage, loan, investment or insurance.
Managing customer relationships. We may ask you for feedback about our products and services and share this with certain members of our staff to improve our offering. We might also use notes from conversations we have with you online, by telephone or in person to customise products and services for you.
Credit risk and behaviour analysis. To assess your ability to repay a loan we apply specific statistical risk models based on your personal data.
Personalised marketing. We may send you letters, emails, or text messages offering you a product or service based on your personal circumstances, or show you such an offer when you log in to our website or mobile apps. You may unsubscribe from such personalised offers. You have the right, not to consent or to object to personalised direct marketing or commercial activities, including profiling related to these activities.
Providing you with the best-suited products and services. When you visit our website, call our customer service centre or visit a branch we gather information about you. We analyse this information to identify your potential needs and assess the suitability of products or services. For example, we may suggest investment opportunities suited to your profile. We analyse your payment behaviour, such as large amounts entering or leaving your account. We assess your needs in relation to key moments when a specific financial product or service may be relevant for you, such as starting your first job or buying a home. We assess your interests based on simulations you participate in on our website.
Improving and developing products and services. Analysing how you use our products and services helps us understand more about you and shows us where we can improve. For instance,
when you open an account, we measure the time it takes until your first transaction to understand how quickly you are able to use your account.
we analyse data on transactions between you and our corporate customers to offer information services to our corporate customers or provide them advice on how they can make better use of ING’s products and services. When ING processes personal data for this purpose, aggregated data may be made available to the corporate customer. A corporate customer cannot identify you from these aggregated data.
we analyse the results of our marketing activities to measure their effectiveness and the relevance of our campaigns.
sometimes we may use automated processes to help analyse your personal data, for example we use an algorithm to speed up credit decisions for loans and mortgages.
we may use your data to send you personalised offers by post, email or on our website or mobile apps. You have the right to object at any time to personalised direct marketing or commercial activities, including profiling related to these activities.
Preventing and detecting fraud and data security. We have a duty to protect your personal data and to prevent, detect and contain data breaches. This includes information we are obliged to collect about you, for example to comply with regulations against money laundering, terrorism financing and tax fraud.
We may process your personal data to protect you and your assets from fraudulent activities, for example if you are the victim of identity theft, if your personal data was disclosed or if you are hacked.
We may use certain information about you for profiling (e.g. name, account number, age, nationality, IP address, etc.) to quickly and efficiently detect a particular crime and the person behind it.
We use contact and security data (such as card readers or passwords) to secure transactions and communications made via remote channels. We could use this data to alert you, for example when your debit or credit card is used in a non-typical location.
Internal and external reporting. We process your data for our banking operations and to help our management make better decisions about our operations and services. We also process your data to comply with a range of legal obligations and statutory requirements (anti-money laundering legislation and tax legislation, for example).
Data that we process for any other reason is anonymised or we remove as much of the personal information as possible.
4. Who we share your data with and why
To be able to offer you the best possible services and remain competitive in our business, we share certain data internally and outside of ING. This includes:
We transfer data across ING businesses and branches for operational, regulatory or reporting purposes, for example to screen new customers, comply with certain laws, secure IT systems, analyse our portfolio or provide certain services (see section ‘What we do with your personal data’ for the full list). Accordingly, your personal data may be disclosed to staff in the ING Group entities in countries where those entities are located including the Netherlands, Slovakia, the Philippines, Poland and Singapore. We may also transfer data to centralised storage systems or to process it globally for more efficiency. All internal data transfers are in line with our Global Data Protection Policy.
We share information with independent agents who act on our behalf. These agents are registered in line with local legislation and operate with due permission of regulatory bodies. You can read more about how we work with these agents at https://www.ing.com/en.htm and in the relevant terms and conditions for your banking product.
To comply with our regulatory obligations we may disclose data to the relevant authorities, for example to counter terrorism and prevent money laundering. In some cases, we are obliged by law to share your data with external parties, including:
Public authorities, regulators and supervisory bodies such as the central banks of the countries where we operate.
Tax authorities may require us to report your assets (e.g. balances on deposit, payment or savings accounts or holdings in an investment account). We may process your social security number for this.
Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request.
Lawyers, for example, in case of bankruptcy, notaries, for example, when granting a mortgage, trustees who take care of other parties' interests, and company auditors.
When you withdraw cash, pay with your debit card or make a payment to an account at another bank, the transaction always involves another bank or a specialised financial company. To process payments we have to share information about you with the other bank, such as your name and account number. We also share information with financial sector specialists who assist us with financial services like:
exchanging secure financial transaction messages
payments and credit transactions worldwide
processing electronic transactions worldwide
settling domestic and cross-border security transactions and payment transactions.
Sometimes we share information with banks or financial institutions in other countries, for example when you make or receive a foreign payment. And we share information with business partners whose financial products we sell, such as insurance companies.
Credit reporting bodies
If permitted by the Privacy Act and the Privacy (Credit Reporting) Code, we may disclose information to credit reporting bodies prior, during or after the product is provided to you. This includes:
identity particulars, that you have applied for a loan and the date on which the loan is entered into, the type of loan, terms and conditions relating to the loan, the amount of the loan and date on which the loan is paid out, discharged or account closed;
your repayment history (information about whether you met your monthly repayments);
details of payments for no less than $150 that are at least 60 days overdue (subject to the financial hardship process and otherwise providing you with at least 14 days’ notice);
our opinion that you have committed a serious credit infringement.
When we use other service providers we only share personal data that is required for a particular assignment. Service providers support us with activities like:
performing certain services and operations (including to conduct identification verification, name screening and other checks, which help us to comply with our regulatory obligations and manage our regulatory risks);
designing and maintenance of internet-based tools and applications;
marketing activities or events and managing customer communications;
preparing reports and statistics, printing materials and designing products; and
placing advertisements on apps, websites and social media.
We may disclose certain personal data relevant to the provision of insurance products (such as home and contents or vehicle insurance), including personal data that is disclosed on your application form, to the relevant insurer which issues and underwrites the insurance products, this is Auto & General Services Pty Ltd ABN 61 003 617 909 (AGS) or to an insurance broker, who may offer or supply you with insurance, unless you tell us otherwise.
AGS may use personal data collected from us, initially for the purposes of providing you with a premium estimate for that insurance product and for the purposes of considering any application you make for an insurance product. If you decide to proceed with an application for insurance, AGS may use, hold and disclose to third parties any personal data it collects about you, including from us, for the purposes of considering any application you make for an insurance product, providing those products and services to you, internal management and risk functions, enhancing AGS products and services and otherwise administering the relationship AGS has with you. AGS may also disclose your personal data to third parties which are involved with the provision of the insurance product to you, such as related bodies corporate of us or the insurer, claims assessors, investigators, lawyers (should they be required in the event of a claim), other insurers (for the purpose of seeking claims recoveries or to assist them to assess insurance risks), insurance reference services, service providers (including those that help us to conduct screening and checks, which help us comply with our regulatory obligations and manage our regulatory risks).
If you don't provide personal data to us (or to AGS) it will not be possible for AGS to estimate your home and contents insurance premium or offer insurance to you.
Some of the parties with which AGS exchanges personal data, may be located outside Australia in countries including Philippines, Singapore, Slovakia, Netherlands, Spain, Japan, United Kingdom, South Africa and the United States of America.
Lender's Mortgage Insurance
We may disclose personal data (including credit-related personal data) to the lender's mortgage insurer (LMI) listed below.
The LMI may use, hold and disclose to third parties any personal information it collects about you from us or credit reporting bodies in order to assess whether to insure the risk of providing mortgage insurance; to assess the risk of default; to assess the risk of a guarantor being unable to meet a liability arising under a guarantee; to administer and vary the insurance cover, including for securitisation and hardship applications; to verify information that we collect about you; to deal with claims and recovery of proceeds including, among other things, to enforce a loan in place of a lender if the mortgage insurer pays out an insurance claim on your loan; for a mortgage insurance purpose; and for any other purpose under the insurance policy issued to us relating to your loan, as well as for other internal management and risk purposes.
If you don't provide personal data to us, it will not be possible for the LMI to process our request for lender's mortgage insurance.
The LMI that we may disclose your personal data and credit-related personal data to is Genworth Financial Mortgage Insurance Pty Ltd. You can contact Genworth by calling 1300 655 422 or by visiting genworth.com.au.
The LMI may disclose your personal information to entities located overseas including in the USA, Canada and the United Kingdom.
We may disclose personal data (including your tax file number) relevant to the provision of an account in a superannuation fund to the superannuation fund provider (in the case of ING Living Super, this is Diversa Trustees Limited (ABN 49 006 421 638, AFSL 235153, RSE L0000635 (Diversa)).
The superannuation provider may use personal data collected from us, initially for the purposes of assessing your application and eligibility for the superannuation fund. If you decide to proceed with an application for an account in the superannuation fund, the superannuation provider may disclose your personal data to us or third parties in order to assist the superannuation provider in providing, managing and administering your account in the superannuation fund or for other related purposes. This includes to:
the administrator of the superannuation fund responsible for undertaking the administration and day-to-day operation of the superannuation fund, including establishing and maintaining member records, processing contributions, rollovers and benefits, and providing regular statements;
the custodian of the superannuation fund;
the insurer responsible for providing insurance cover and assessing insurance claims to members of the superannuation fund;
the broker or share trader responsible for buying and selling listed securities;
the provider of financial tools and calculators on the designated superannuation fund website;
the ATO as required by law, to administer your account in the superannuation fund, to conduct searches on the ATO’s Lost Member Register and to facilitate the consolidation of your superannuation with your consent;
Government authorities as required or desirable in administering and conducting the business of the superannuation fund including in complying with relevant regulatory or legal requirements;
the trustee of another fund where you request that your superannuation interest be transferred between superannuation funds;
organisations providing financial planning services with which the superannuation provider has entered into an agreement for them to provide financial planning advice services to members of the superannuation fund;
your financial adviser, your power of attorney, or your appointed representative;
any third party product and service supplier that the superannuation provider has an arrangement with (so that either the superannuation provider or they may provide you with the product or service you have requested or in which you have expressed an interest);
organisations who perform services or functions on the superannuation provider's behalf (including us);
organisations undertaking reviews of the accuracy and completeness of the superannuation provider’s information;
doctors, medical services or other organisations providing services in the collection, collation or assessment of personal information (including health information) for the purpose of assessing your claim.
If you don't provide personal data to us (or to the superannuation provider) it will not be possible for the superannuation provider to offer an account in the superannuation fund to you.
Some of the parties with which Diversa exchanges personal data, may be located outside Australia in countries including Singapore and the Netherlands.
We may also disclose personal data to:
organisations involved in securitisation arrangements. These organisations include trustees of those arrangements, investors and their advisers; and
organisations undertaking compliance reviews of financial advisers or mortgage intermediaries.
We are always looking for new insights to help you get ahead in life and in business. For this, we may exchange personal data with partners like universities, who use it in their research, and innovators. The researchers we engage must satisfy the same strict requirements as ING employees. This personal data is shared at an aggregated level and the results of the research are anonymous.
In all of these cases, we ensure the third parties can only access personal data that is necessary for their specific tasks.
Whenever we share your personal data internally or with third parties in other countries, we ensure the necessary safeguards are in place to protect it. For this, ING relies on:
Binding Corporate Rules as defined in EC Regulation (EU) 2016/679. These are known as the ING Global Data Protection Policy (GDPP) and have been approved by the data protection authorities in all EU member states.
EU Model clauses, which are standardised contractual clauses used in agreements with service providers to ensure personal data transferred outside of the European Economic Area complies with EU data protection law.
Privacy Shield framework that protects personal data transferred to the United States.
5. Credit-related personal data
Where we collect your personal data and we're likely to disclose that personal data to a credit reporting body, we're required by law to notify you of certain matters, which are set out below. If you want us to provide you with a hard copy of this information, then please contact us.
Which credit reporting bodies does ING deal with?
We primarily deal with, and report certain credit-related personal data to, Equifax Australia Information Services & Solutions Pty Limited (EISS) and Illion Australia Pty Ltd (Illion), which are major credit reporting bodies in Australia.
You can contact:
(a) EISS by:
one of the methods specified at www.equifax.com.au/contact; or
mailing EISS - Equifax, PO Box 964, North Sydney NSW 2059
(b) Illion by one of the methods speciﬁed at www.illion.com.au/contact-us/
Collection, use and disclosure of your credit-related personal data
EISS and Illion may include your credit-related personal data that we provide to it in credit reports to other credit providers to assist those credit providers to assess your credit worthiness.
If you fail to meet your payment obligations in relation to any loan you have with us or if we believe that you have committed a serious credit infringement, we may be entitled to disclose this to EISS and Illion.
Under the Privacy Act, credit reporting bodies are prohibited from using or disclosing credit reporting information that they hold about you for the purposes of direct marketing. Subject to a number of restrictions, this general prohibition does not apply to the use of this information by the credit reporting body for the purpose of assessing whether you are eligible to receive direct marketing by credit providers, such as ING.
This use of the information in this way is known as a "pre-screening assessment". The Privacy Act allows you to request a credit reporting body that holds credit information about you to not use that information for the purposes of a pre-screening assessment. The credit reporting body cannot charge you for making, or carrying out, the request.
Fraud - "ban period"
The Privacy Act gives you certain mechanisms to deal with fraud, including identity fraud.
If you believe on reasonable grounds that you have been, or are likely to be, the victim of fraud then you can ask EISS, Illion (or any other credit reporting body that holds information about you) not to use or disclose your credit reporting information during a "ban period".
The "ban period" is a period of 21 days starting on the day that you make the request, which can be extended on your request if the credit reporting body believes on reasonable grounds that you have been, or are likely to be, the victim of fraud.
The credit reporting body cannot charge you for making, or carrying out, the request.
6. Your rights and how we respect them
We respect your rights as a customer to determine how your personal data is used. These rights include:
Right to access information
You have the right to ask us for an overview of your personal data that we process.
Right to rectification
If your personal data is incorrect, you have the right to ask us to rectify it. If we shared data about you with a third party that is later corrected, we will also notify that party.
Right to complain
Should you not be satisfied with the way we have responded to your concerns you have the right to submit a complaint to us. If you are still unhappy with our reaction to your complaint, you can escalate it to the ING Bank Data Protection Officer. You can also contact the data protection authority in your country.
Right to anonymity or to use a pseudonym
You have the option of dealing with us anonymously or using a pseudonym in some cases (for example when you make inquiries about our products or services). However, we will need to know and verify who you are before we can provide you with our financial products and services.
Exercising your rights
If you want to exercise your rights or submit a complaint, please contact us. There is a list of contact details for the ING office in your country at the end of this Privacy Statement.
How you exercise your rights depends on your ING product and the availability of services in your country. It could be through our website, by visiting a branch or by telephone. We aim to respond to your request as quickly as possible. In some instances this could take up to one month (if legally allowed). Should we require more time to complete your request, we will let you know how much longer we need and provide reasons for the delay.
In certain cases, we may deny your request. If it's legally permitted, we will let you know in writing why we denied it and we will let you know how you can make a complaint about the refusal. If relevant in the case of an access request, we will also attempt to find alternative means for you to access the information you are seeking.
7. Your duty to provide data
There is certain information that we must know about you so that we can commence and execute our duties as a bank and fulfil our associated contractual duties. There is also information that we are legally obliged to collect. Without this data we may not be able to open an account for you or perform certain banking activities.
If you do not provide us with the information requested we will generally not be able to provide you with our products or services.
8. How we protect your personal data
We apply an internal framework of policies and minimum standards across all our business to keep your data safe. These policies and standards are periodically updated to keep them up to date with regulations and market developments. More specifically and in accordance with the law, we take appropriate technical and organisational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed.
In addition, ING employees are subject to confidentiality and may not disclose your personal data unlawfully or unnecessarily.
9. What you can do to help us keep your data safe
We do our utmost to protect your data, but there are certain things you can do too:
Install anti-virus software, anti-spyware software and a firewall. Keep them updated.
Do not leave equipment and tokens (e.g. bank card) unattended.
Report the loss of a bank card to ING and cancel the lost card immediately.
Log off from online banking when you are not using it.
Keep your passwords strictly confidential and use strong passwords, i.e. avoid obvious combinations of letters and figures.
Be alert online and learn how to spot unusual activity, such as a new website address or phishing emails requesting personal information.
10. How long we keep your personal data
We are only allowed to keep your personal data for as long as it’s still necessary for the purpose we initially required it. After this we look for feasible solutions, like archiving it.
11. Contact us
If you want to know more about ING’s data policies and how we use your personal data or if you have any questions about how we use your personal data, you can contact us by:
calling 133 464
ING Privacy Officer
GPO Box 4094
Sydney NSW 2001
12. Scope of this Privacy Statement
This is the Privacy Statement of ING Bank (Australia) Limited and ING Bank N.V., Sydney Branch. We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created on 30 July 2018. The most recent version is available at ING.com and ing.com.au.
Office of the Australian Information Commissioner (OAIC)
Belgian Privacy Commission
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Hungarian National Authority for Data Protection and Freedom of Information
Garante per la protezione dei dati personali
National Privacy Commission