This is the Privacy Statement of ING Bank (Australia) Limited ("IBAL"),”, “we”, “us” and “our”), and it applies when we process personal data. IBAL is bound by the protections in the Privacy Act 1988 (Cth) and the Privacy (Credit Reporting) Code 2014. IBAL is also a holder of Consumer Data Right (CDR) data under the CDR regime. As a data holder, you may authorise us to share specified CDR data that relates to you that we hold, with third party accredited data recipients. This specified CDR data may contain your personal information. This Privacy Statement applies to how we handle personal data. For further information on how we manage CDR data, see our CDR Policy.
1. Purpose and scope of this Privacy Statement
At IBAL, we understand that your personal data is important to you. This Privacy Statement explains in a simple and transparent way what personal data we collect, record, store, use and process and how. When handling your data we seek to ensure that the right people are using the right data for the right purpose.
This Privacy Statement applies to
All past, present and prospective IBAL customers who are individuals from whom we have collected personal information. This includes one-person businesses, legal representatives or contact persons acting on behalf of our corporate customers.
Non-IBAL customers. These could include anyone who makes a payment to or receives a payment from an IBAL account; anyone that visits an IBAL website, branch or office; professional advisors; joint account holders, shareholders; anyone who is a guarantor; ultimate beneficial owner, director or representatives of a company that uses our services; debtors or tenants of our customers; anyone involved in other transactions with us or our customers. If we have collected your personal data from someone you know, we have asked them to provide you with a Privacy Notice which sets out how we handle, collect, use and disclose your personal information.
We obtain your personal data in the following ways:
Directly, from you when you become a customer, register for our online services, complete a form, sign a contract with IBAL, use our products and services, contact us through one of our channels or visit our websites including through cookies and comparable technologies.
Indirectly, from your employer (when it is an IBAL customer), a person whom you have a joint account with, your broker or financial adviser, or when you are appointed to act as a representative or contact person of your employer when it becomes a prospective customer or if it is an existing customer.
From other available sources such as debtor registers, land registers, commercial registers, registers of association, the online or traditional media, publicly available sources or other companies within ING or third parties such as payment or transaction processors, credit agencies, other financial institutions, commercial companies, or public authorities.
2. The types of personal data we process
Personal data refers to any information or an opinion about an individual that can be linked to a natural person. We may also process sensitive information which is a subset of personal data.
Identification data: the name, date and place of birth, ID number, email address, telephone number, title, nationality and a specimen signature, fiscal code/social security number;
Transaction data, such as your bank account number, any deposits, withdrawals and transfers made to or from your account, and when and where these took place, transaction identifiers and associated information;
Credit information such as identification information, consumer credit liability information, repayment history information, financial hardship information, the type of consumer credit or commercial credit and the amount of credit sought in an application, default information, payment information, new arrangement information and any opinion that the customer has committed a serious credit infringement;
Credit eligibility information such as credit reporting information about the individual that was disclosed to us by a credit reporting body. We use this information to derive information about you. The information we derive about you relates to your credit worthiness and information that can be used to establish your eligibility for consumer credit;
Financial data, such as invoices, credit notes, payslips, payment behaviour, the value of your property or other assets, your credit history, credit capacity, tax status, income and other revenues financial products you have with IBAL, whether you are registered with a credit register, payment arrears and information on your income, electronic payment instrument data such as card number, expiry date or card verification code (CVV/CVC);
Socio-demographic data, such as your gender, studies, job position and marital status including whether you have children. Where local law considers this sensitive personal data, we respect the local law;
Online behaviour and information about your devices, such as your location and your IP address and your device ID of your mobile device or computer you use and the pages you visit on IBAL websites and apps;
Data that you share with us. For example, information about your interests and needs that you may share when you contact our call centre or fill in an online survey or when you use our platforms or fill in surveys;
Audio-visual data; where applicable and legally permissible, we process surveillance videos at IBAL premises, or recordings of phone or video calls or chats with our offices. We can use these recordings to verify telephone orders, for example, or for fraud prevention, analysis or staff training purposes;
Your interactions with IBAL on social media; such as Meta (Facebook), Twitter, Instagram, LinkedIn and YouTube. We follow public messages, posts, likes and responses to and about IBAL on the internet.
Information related to your location, when performing a payment or when accessing certain products/services for example when you withdraw cash from an ATM.
Sensitive personal data
Sensitive personal data is personal data relating to your health, ethnicity, religious or political beliefs, genetic or biometric data. We may process your sensitive personal data as further detailed below in section 3 (What we do with your personal data) if we have your explicit consent or when we are required to do so by applicable local laws and regulations such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Please note that if you instruct us to make a payment to a political party, trade union, or to a religious institution or health care institution such as hospitals, health clinics, or extended care facilities, this qualifies as sensitive personal data. Therefore, IBAL will not process such sensitive personal data for other purposes than executing the transaction or with your explicit consent. However, it is possible that as a result of our obligation to comply with anti-money laundering regulations and our interest in preventing fraud, we may further process such data for example to verify the origin of the funds but only in the context of anti-money laundering regulations.
Children's data (only applies to our retail customers)
We only collect personal data about children if they have an IBAL product or if you provide us with personal data about your own children in relation to the product you obtain from us. We will seek parental consent when it’s required by local law.
3. What we do with your personal data
Processing means every activity that can be carried out in connection with personal data such as collecting, recording, storing, adjusting, organising, using, disclosing, transferring or deleting it in accordance with applicable laws. We only use your personal data for:
Performing agreements to which you are a party or taking steps prior to entering into these agreements. We use your personal data when you enter into an agreement with us, or when we have to execute our obligations under these agreements.
For instance, we use your account details when you ask us to make a payment or carry out an investment order or to provide you statements of your accounts or your annual overview in My ING.
We also use these account details to, when necessary, block payments, investigate and remediate product dysfunctionalities and solve claims, petitions and complaints regarding the requested services.
We also use your personal data to contact you in order to, among others, notify you on contractual term changes, the expiry of a deadline/contractual condition, registering a debt or to provide you with information related to your services/relationship.
We use your credit information and credit eligibility information to make an assessment about your eligibility for credit.
We also disclose the information we have collected about you to credit reporting bodies to obtain your credit report and credit score.
We rely on the lawful basis of 'necessary for performing agreements' when we use your personal data for these and similar purposes.
Compliance with legal obligations to which we are subject
We use your personal data to comply with a range of legal obligations and statutory requirements including banking and financial regulations that oblige us to perform a/an:
Integrity check: When entering into a customer relationship with you, we have a legal obligation to consult available incidents registers and warning systems and national and international sanctions lists;
Identity verification: When entering into a customer relationship with you, we have a legal obligation to confirm your identity. We can do this by making a copy of your identity document, which we will only use for identification and verification purposes. For checking your integrity and identity, we may also rely on checks performed by other financial institutions;
Credit check: : Before entering into a customer relationship with you, we have a legal obligation to check whether you qualify as an acceptable customer. We assess your credentials from a risk perspective and predict if you can meet your financial obligations towards us as further detailed in Section 6 (Automated decision-making and profiling);
Fraud prevention and anti-money laundering and terrorism financing check: ; we have a legal obligation to check for potential fraud, money laundering and terrorism financing. We monitor, among others, unusual transactions, sanctions list as further detailed in Section 6 (Automated decision making and profiling);
Regulatory and statutory reports and data requests from our regulators: as further detailed in Section 4 (Who do we share you data with and why).
We rely on the lawful basis of ‘necessary to comply with a legal obligation’ when we use your data for these processing activities.
Our legitimate interest
We process your data when we believe that it is within our legitimate interest to do so, as described below. Should you wish to obtain more information about our reasoning behind such assessment in a specific case, please contact us using the details as provided in Section 11 (Contact and questions). Please find below an overview of the main purposes for which we process your personal data where we rely on legitimate interest:
To promote and offer you the best-suited products and services by us or other ING entities.: We will process your personal data when informing or advising you about similar products and services from ING. Of course, if you don’t want to receive these offers you have the right to object or to opt-out. We strive to understand you better and meet your changing needs by offering you services that will suit your specific situation. To achieve such personalisation we may:
take into account your socio-demographic and financial data;
analyse your habits and preferences in our various communications channels, visits to our website or other online environments, etc.);
analyse the products and services that you have already purchased from us.
To ensure an effective and efficient internal business process execution and management reporting:We process your data for our internal processes and operations and to help our management to make better – data driven - decisions about our operations, policies, strategies and services. For that, we will always choose aggregated data, i.e. not identifiable to you as an individual, if we can. This includes:
analysing our market position in different segments;
performing cost and loss analysis;
training our staff for example by analysing recorded phone calls (when recording is permitted by local law) in our call centres to improve our calling scenario;
automating our processes such as application testing, automatic filling of complaints handling, etc.;
conducting litigation and complaint management.
To protect your vital interests.
We process your personal data when necessary to protect your interests which are essential for your life or that of another natural person. For example for urgent medical reasons pertaining to you. We will only process your personal data necessary for the vital interests of another natural person if we cannot base it on one of the other purposes mentioned.
To respect your choice, we request your consent for specific personal data processing.
For certain types of personal data processing, we will provide you with specific information about the process and request your prior consent before processing your personal data. This may include:
the use of biometric data such as face or fingerprints as authentication and/ or verification purposes such as for access to mobile apps;
recording of your conversations with us online, by telephone or in our branches;
promotional activities where we inform you about products and services from partners of IBAL
You may revoke you consent anytime as further detailed below.
4. Who we share your personal data with and why
There are situations in which we need to provide your personal data to other parties involved in the provision of our services, which could be data transfers within the ING Group and to third parties. The ING Group and third party entities who we may share your personal data with may be located overseas. As ING Group operates in over 40 countries, it is likely that your personal data will be disclosed to overseas recipients. Where your CDR data includes personal information, we may disclose that personal information to an accredited data recipient.
Within the ING Group
IBAL is part of the ING Group which provides financial and insurance or brokerage services in over 40 countries. The countries to which your personal data is likely to be disclosed includes The Netherlands, Philippines, Poland, Romania, Singapore, and Slovakia.
For more information about the ING Group, we refer you to www.ing.com. The ING Group is committed to your privacy and it has adopted strong principles in that respect through its Global Data Protection Policy ("GDPP"). The GDPP is approved by the Dutch Data Protection Authority which is the lead supervisory authority for ING Bank N.V. and is binding on all ING entities, subsidiaries, branches, representative offices, and affiliates worldwide (also known as "Binding Corporate Rules")
IBAL may share your personal data with its parent company ING Bank N.V. to ensure that the ING Group will be able to comply with its legal obligations and/or for reasons of substantial public interests:
to comply with any regulatory and statutory reports and data requests as required by ING Group’s European regulators like, among others, European Banking Authority (EBA), European Central Bank (ECB) and the Financial Stability Board (FSB). When possible, personal data will be aggregated meaning that only information about groups of clients will be shared with the Group’s regulators to ensure that it can no longer be linked back to you.
for the development (also on behalf of IBAL) of ING’s internal credit models. Under EU banking rules, ING Group is obliged to develop these credit models to be able to calculate any counterparty risks and exposures which allows ING Group to determine our risks as well as the extent of the financial buffer we must hold, when providing financial services to you.
for the development (also on behalf of IBAL) of ING’s Know Your Customer (KYC) models. To safeguard the ING Group against involvement in Financial Economic Crimes, KYC models are being developed on a group level for client and transaction screening to detect (potential) criminal activities. These KYC models incorporate mandatory requirements derived from, among others, the EU Directives and Regulations in the area of prevention of money laundering and terrorist financing, the Basel Committee on Banking Supervision Guidelines (BCBS) and EU, US and UN sanctions laws and regulations.
IBAL also continues to strive to make the everyday procedures more efficient and effective since it is in our legitimate interest to offer you the best possible services at competitive rates. As such, IBAL will share your personal data with ING Group and other ING entities to centralize certain operations to achieve economies of scale.
for, among others, the alert handling, fraud/ KYC screening, operational handling of payments and other transactions and quality assurance. For efficiency reasons, these operational activities are centralised in ING Business Shared Services (IBSS) entities located among others in Slovakia, Poland and the Philippines. These IBSS entities will process your data on behalf of IBAL and are fully subject to ING’s Global Data Protection Policy (GDPP) to ensure an adequate level of data protection.
the development of models mainly related to improving customer processes such as optimisation of account management and product management in customer channels. For efficiency reasons, these models are mainly developed by our analytics department on group level in The Netherlands, Poland and Romania. Your personal data will be pseudonymised when transferred for this purpose.
Please note that IBAL will remain responsible to you for ensuring that the processing of your personal data - including any processing carried out by other ING entities on our behalf as set out above - complies with the applicable data protection regulations. Within the ING Group, there are contractual arrangements in place to ensure that your personal data will only be processed for a specific purpose on the basis of an appropriate legal basis (taking into account any effect such processing may have on you) and that adequate organisational and technical measures have been implemented to protect your rights. We will also remain responsible to handle any request you may have in relation to your privacy rights as described below.
With third parties
We also share your personal data with the following categories of third parties:
Government, Supervisory and Judicial authorities
To comply with our regulatory obligations we are obliged by law to disclose personal data to the relevant government, supervisory and judicial authorities, such as:
Public authorities, regulators and supervisory bodies such as the Office of the Australian Information Commissioner (OAIC), Australian Financial Complaints Authority (AFCA), Australian Transaction Reports and Analysis Centre (AUSTRAC), Australian Regulation Prudential Authority (APRA), Australian Securities and Investment Commission (ASIC), Australian Competition and Consumer Commission (ACCC) Reserve Bank of Australia (RBA) and Banking Code Compliance Committee (BCCC) in Australia.
Australian Tax Office (ATO) may require us to report customer assets or other personal data such as your name and contact details and other information about your organisation. For this purpose, we may process your identification data like social security number, tax identification number or any other national identifier in accordance with applicable local law.
Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request.
Other financial institutions
To process certain payment and withdrawal services, we share your personal data or the personal data of your representative (if any) with another bank or a specialised financial company. We also share your personal data with financial sector specialists who assist us with financial services like:
Exchanging secure financial transaction messages such as Worldwide Interbank Financial Telecommunication (SWIFT);
Payments and credit transactions worldwide including MasterCard and VISA when applicable;
Processing electronic transactions worldwide;
Settling domestic and cross-border security transactions and payment transactions;
Account information services; when you have specifically instructed an account information service provider to retrieve account information from your IBAL accounts on your behalf, we are obliged to share the necessary transaction data with such provider as long as you have consented to this;
Payment initiation services; when you have specifically instructed a payment initiation service provider to initiate payments from your IBAL accounts on your behalf, we are obliged to share access to your accounts with such provider as long as you have consented to this;
Other financial services organisations, including banks, superannuation funds, stockbrokers, custodians, fund managers and portfolio service providers.
Service providers and other third parties
When we use other service providers or other third parties to carry out certain activities in the normal course of business, we may have to share personal data required for a particular task. We carefully select these companies and clearly agree with them on how they are to handle your personal data. We remain responsible for your personal data. These service providers support us with activities like:
Designing, developing and maintaining internet-based tools and applications;
IT service providers who may provide application or infrastructure (such as cloud) services;
Marketing activities or events and managing customer communications;
Preparing reports and statistics, printing materials and designing products;
Placing advertisements on apps, websites and social media;
Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
Identifying, investigating or preventing fraud or other misconduct by specialised companies;
Performing specialised services like postal mail by our agents, archiving of physical records, contractors and external service providers; or
Carrying out securitisation arrangements (such as trustees, investors and the advisers) or;
Where your CDR data includes personal information, we may disclose that personal information to an accredited data recipient.
Independent agents, brokers and business partners
We may share your personal data with independent agents, brokers or business partners such as nib who act on our behalf, or which jointly offer products and services with us, such as insurance. They are registered in line with local legislation and operate with due permission of regulatory bodies.
We are always looking for new insights to help you get ahead in life and in business. For this reason, we exchange personal data (when it’s legally allowed) with partners like universities and other independent research institutions, who use it in their research and innovation. The researchers we engage must satisfy the same strict requirements as IBAL employees. When possible, the personal data will be shared at an aggregated level to ensure the results of the research will be anonymous.
Credit reporting bodies
For customers who apply for a credit facility with us in Australia, you agree that we may exchange your personal data with a credit reporting body ("CRB"), including by sharing information about:
your credit worthiness
your credit history, including about the type of credit you have (like credit cards, personal loans and home loans), how much you have borrowed, if you've made your repayments (including repayments you're required to make under your IBAL credit facility with us) and if you've experienced financial hardship
whether you have committed fraud or another serious credit infringement, and
obtaining commercial credit information about you in order to assess an application by you for consumer credit.
CRBs may include information that we provide in reports to other credit providers to assist those credit providers to assess your credit worthiness. We may ask a CRB to give us your overall credit score, and we may use credit information from CRBs together with other information to arrive at our own credit score of your ability to manage your credit obligations.
Credit providers (like us) can ask CRBs to use your credit information to pre-screen you for direct marketing purposes, but you can tell CRBs not to do this. However, by applying for a credit facility with us, you may still receive direct marketing from us (unless you ask us not to) that has not been 'pre-screened'.
Fraud - 'ban period'
If you believe, on reasonable grounds, that you have been, or could be, a victim of fraud (for example, someone else may be using your name to apply for credit), you can ask CRBs not to use or give anyone your credit information during a 'ban period'.
The 'ban period' is a period of 21 days starting on the day you make the request. That period can be extended on your request where the CRB believes on reasonable grounds that you have been, or are likely to be, the victim of fraud. By applying for a credit facility with us, you agree to us accessing your personal information held with a CRB, even if there is a ban period in place, for the purposes of assessing an application for credit or in order to collect overdue payments.
For customers who apply for a credit facility with us in Australia, we may disclose information about you (including about your credit worthiness, credit history and repayment history information) to other credit providers to assess an application by you for credit, to notify them of a default by you and to inform other credit providers who allege you are in default with them. We may also disclose your information to any person reasonably necessary for the purposes of that person taking an assignment of any contract the lender has with you.
5. Transfer of personal data outside the EEA
Whenever we share your personal data (in case EU data protection laws apply) with third parties or other ING entities located in countries outside of the European Economic Area (EEA) that do not offer an adequate level of data protection, we will make sure there will be adequate measures in place to ensure that your personal data is sufficiently protected.
For this purpose, we rely, amongst others, upon the following so-called transfer tools:
EU Model clauses or Standard Contractual Clauses; these are contractual clauses we agree with any external service providers located in a non-adequate country to ensure that such provider is contractually obliged to provide an adequate level of data protection.
Binding Corporate Rules; for personal data transfers within the ING Group, we also rely on binding internal Group policies (i.e. the Binding Corporate Rules) to ensure that ING entities located in a non-adequate country will adhere to an adequate level of data protection when processing personal data covered by EU data protection laws as further detailed in Section 4 (Who do we share your personal data with and why).
Furthermore, we will assess on a case-by-case basis whether any organisational, technical (such as encryption) and/ or contractual safeguards need to be implemented to ensure your personal data is adequately protected, taking into account the legal framework of the country where the data importer is located.
6. Tranfer of credit information or credit eligibility information outside of Australia
We are unlikely to disclose your credit information or credit eligibility information to entities that do not have an Australian link.
Automated decision-making and profiling
Automated decision-making is when we make decisions by technological means without significant human involvement. Profiling involves the automated processing of personal data with a view to evaluating or predicting personal aspects such as the economic situation, reliability or likely behaviour of a person.
Since IBAL serves a wide group of clients, it makes the use of automated decision-making and profiling imperative. Examples are:
Credit risk rating
We create a profile of you when you apply for a loan or credit in order to assess if you can meet your financial obligations towards us and to ensure that we do not offer loans that are not suitable for you. We assess the risk connected to a contract with you via a method called credit-scoring. Your credit score is calculated based on automated decision-making. You have to achieve a pre-defined minimum-score to ensure an acceptable risk for us.
Based upon the personal data provided by you, we consult external service providers and credit rating agencies to acquire relevant financial information (credit-rating, financial statements, turn-over/solvency, and payment history). If you already have, or had, a relationship with us in the past, we combine the aforementioned (external) financial information with internal payment history and transaction data related to you. In case you do not achieve the minimum-score, the automated credit-scoring will result in a decline. In that case, we will refrain from entering into an agreement with you since we deem the risks for you and us too high.
Prevention of fraud and money laundering and terrorism financing.
We are obliged to perform client and transaction screening to detect (potential) criminal activities. As a result, we pay particular attention to unusual transactions and to transactions that - by their nature - result in a relatively high risk of fraud, money laundering or terrorism financing. To do this we create and maintain a risk profile of you. If we suspect that a transaction is connected with money laundering or terrorist financing, we are obliged to report this to the authorities.
Factors that we take into account that may indicate an increased risk of fraud or money laundering and terrorist financing are:
Deviations in a person's normal spending and payment behaviour, such as unexpectedly large amounts being transferred or debited;
Payments to or from suspicious countries, stores or addresses;
Being listed on an internal referral register. ING's internal referral register is a list of persons and institutions with whom we no longer want a relationship. They are a risk to IBAL, its staff and/or its customers. Only employees of ING security departments can view this list;
Being listed on an external referral register. Such external referral register is a list of the banks in the Netherlands that includes persons and institutions who have committed fraud or otherwise pose a risk to the financial sector. Financial institutions in the Netherlands can check whether persons and institutions are on the list and they can add them to the list;
Being listed on any national or international sanctions lists.
7. Your rights and how we respect them
If your personal data is processed, you have privacy rights. Based on applicable laws, your privacy rights may vary from jurisdiction to jurisdiction. If you have questions about which rights apply to you, please get in touch with us through the email address mentioned in item 9.
You have the following rights:
Right of access
You have the right to ask us for access to your personal data or the information that we hold about you. To do so, please provide your request in writing to the IBAL Privacy Officer at GPO Box 4094, Sydney NSW 2001 or firstname.lastname@example.org. Please specify the information you wish to access, to help us quickly identify and retrieve that information for you.
Please note that requests for access to your personal information may only be made by you or by another person who you have authorised to make a request on your behalf, such as a legal guardian or authorised agent. We will require you to verify your identity, or the identity and authority of your representative, to our reasonable satisfaction.
An access charge may apply, but not to your request for access itself. In particular, we may impose a reasonable charge for providing access to this information to recover any expenses incurred in retrieving and collating the requested information. Where an access charge applies, unless you authorise us to debit your account with us, access won't be provided until we receive payment. We will respond to your access request as soon as possible and tell you how long it will take to provide the information. This may be up to 30 days in some circumstances.
We may exercise our right to deny access to particular information in certain situations, for example, where access may reveal our commercially sensitive decision processes (e.g. criteria for loan approvals), where the information relates to existing or anticipated legal proceedings, or where it will threaten the privacy of other individuals.
If we deny you access to your personal information, we will write to you to:
explain the reason your access request has been denied unless it would be unreasonable for us to do so in the circumstances; and
the avenues available to you to complain about our refusal.
If we refuse to give you access, if appropriate, we will attempt to find alternative means to enable you to access the information, for example, through a mutually agreed intermediary.
Right to rectification
For personal information that is not CDR data, we take reasonable steps to ensure that your personal information is accurate, up-to-date, complete, relevant and not misleading. For instance, we may ask you to confirm some of your details when you speak to our Contact Centre staff. However, please contact us if you learn that any your personal information that we hold is incorrect, has changed or requires updating. You can update some of your personal information using online banking.
It may take 30 days or more to consider your correction request in unusual circumstances (e.g., where we are required to consult with other credit reporting bodies and/or credit providers in relation to the information).
We will promptly update your personal information if it is inaccurate, out-of-date, incomplete, irrelevant or misleading. If we correct the personal information the subject of your correction request and we have previously disclosed that information to a third party, we will notify that third party of the corrected information (if we're required to by law).
If we disagree with your request to correct your personal information, we will write to you to:
explain the reason your correction request has been denied unless it would be unreasonable for us to do so; and the avenues available to you to complain about our refusal.
If we disagree with your request to correct your personal information, you also have the right to ask us to attach a statement that in your opinion the information is in your opinion inaccurate, out-of-date, incomplete, irrelevant or misleading. However, please note that this right does not apply to our refusal to correct your credit information.
For personal information that is CDR data, please refer to our CDR policy for information on:
the steps we take to ensure that the CDR data we are required or authorised to disclose is accurate, up to date and complete; and
the steps we will take if we receive a request from you to correct the CDR data that we have disclosed in relation to you.
Right to object to processing
You can object to IBAL using your personal data for its own legitimate interests if you have a justifiable reason. We will consider your objection and whether processing your personal data has any undue impact on you that would require us to stop processing your personal data.
You may not object to us processing your personal data if
We are legally required to do so; or
It is necessary to fulfil a contract with you.
You can also object to receiving personalised commercial messages from us. When you become an IBAL customer, we may ask you whether you want to receive personalised offers. Should you later change your mind, you can choose to opt out of receiving these messages. For example, you can use the ‘unsubscribe’ link at the bottom of commercial emails or manage your preferences on our website or mobile banking app.
In addition, even if you opt out of receiving personalised offers, we will alert you to unusual activity on your account, such as:
When your credit or debit card is blocked;
When a transaction is requested from an unusual location.
Right to object to automated decisions
We sometimes use systems to make automated decisions based on your personal data if this is necessary to fulfil a contract with you, or if you gave us consent to do so. You have the right to object to such automated decisions (for in relation to credit scoring as explained above) and ask for an actual person to make the decision instead.
Right to restrict processing
You have the right to ask us to restrict using your personal data if:
You believe the personal data is inaccurate;
We are processing the data unlawfully;
We no longer need the data, but you want us to keep it for use in a legal claim;
You have objected to us processing your data for our own legitimate interests.
Right to data portability
You have the right to ask us to transfer your personal data directly to you or to another company. This applies to personal data you have provided us directly and that we process by automated means with your consent or on the basis of a contract with you. Where technically feasible, and based on applicable local law, we will transfer your personal data.
Right to erasure (‘right to be forgotten’)
IBAL is sometimes legally obliged to keep your personal data. However, if you exercise your right to be forgotten, we will erase your personal data when:
We no longer need it for its original purpose;
You withdraw your consent for processing it;
You object to us processing your data for our own legitimate interests or for personalised commercial messages;
IBAL unlawfully processes your personal data; or
Local law requires IBAL to erase your personal data.
Right to complain
Should you as a customer, or a customer’s representative, be unsatisfied with the way we have responded to your concerns, you have the right to submit a complaint to us. For example, if you have any complaints about how IBAL has handled your personal information or you wish to make a complaint about how IBAL has breached the Australian Privacy Principles, Division 3 of Part IIIA of the Privacy Act or the Privacy (Credit Reporting Code) 2014. If you are still unhappy with our reaction to your complaint, you can escalate it to the ING Bank data protection officer.
If you have a complaint or a concern about privacy at IBAL, including if you consider that we have breached the Privacy Act, the Credit Reporting Privacy Code or other applicable Privacy Code that applies to us, please contact the Privacy Officer by one of the means set out above. If you are not satisfied with how your complaint or concern about privacy is resolved, you can refer your complaint to Australian Financial Complaints Authority (AFCA). AFCA can be contacted on the following details:
Call 1800 931 678
Write to Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
If you are not satisfied with how your complaint or concern is resolved by the relevant external dispute resolution body, you can then refer your complaint to the Privacy Commissioner. The Privacy Commissioner can be contacted on the following details:
Call the Privacy Hotline: 1300 363 992
write to: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001
Please go to the "Complaints and Disputes" section of our website for information on how we deal with your complaints that are not privacy related.
Handling your complaints
We aim to:
acknowledge receipt of your complaint within 24 hours; and
resolve your complaint within 28 days. In certain circumstances that may not be possible. If we form the view that we can't resolve your complaint within 28 days, we will notify you of the reason for the delay and the expected timeframe to resolve your complaint.
Right to withdraw consent
If you have given your consent to us for specific processing of your personal data as set out in Section 3 (What do we do with your personal data), you can at any time withdraw your consent. Once consent is withdrawn, we are no longer allowed to process your personal data. Please be aware that such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Exercising your rights
To exercise any of the rights as set out above, please send your request using the contact details at paragraph 11 below.
When exercising your right, the more specific you are with your request, the better we can assist you. We may ask you for additional information to verify your identity. In some cases we may deny your request and, if permitted by law, we will notify you of the reason for denial of your request. If permitted by law, we may charge a reasonable fee for processing your request.
We want to address your request as quickly as possible. However, based on your location and applicable laws, the response times may vary. Should we require more time (than what is normally permitted by law) to complete your request, we will notify you immediately and provide reasons for the delay.
We do not store your personal data longer than we need to for the purposes (as set out in Section 3 (What do we do with your personal data)), for which we have processed it. This will be in most cases at least 7 years from the data of providing the relevant document except for customer verification records which are retained until the end of customer relationships. Sometimes we use different storage periods. For example, if the supervisory authority requires us to store certain personal data longer or if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period. If we no longer need your personal data as described above, we delete or anonymize the personal data, in accordance with regulatory provisions and applicable law.
9. How we protect your personal data
We take appropriate technical and organisational measures to ensure the availability, confidentiality and integrity of your personal data and the way it is processed. This includes state-of-the-art IT security, system and access controls, security monitoring, segregation of duties, etc. We apply an internal framework of policies and minimum standards across all our business to keep your personal data safe. These policies and standards are periodically reviewed to keep them up to date with regulations and market developments.
In addition, IBAL employees are subject to confidentiality obligations and may not disclose your personal data unlawfully or unnecessarily. To help us continue to protect your personal data, you should always contact IBAL if you suspect that your personal data may have been compromised.
10. Changes to this Privacy Statement
We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created on 7 February 2023.
11. Contact and questions
To learn more about how we protect and use your personal data, you can send us an email to
Call: 133 464
IBAL Privacy Officer
GPO Box 4094