This privacy statement will answer your most important questions about the relevant privacy aspects and elements covered in Cobase’s internal policy (which is binding for our employees) related to usage of our clients users of the Cobase portal and the security app/device. Please note that Cobase is the trading name of Financial Transaction Services BV known under KVK68914016.
Please note that for personal data in the payment data handled by Cobase different rules apply and an updated privacy statement will be made available in due time.
Purpose of personal data
We serve typically large and midsized corporate clients. Our clients appoint users to have access to our service via app and portal. We store personal data on these users.
The primary purposes of the data we store are:
• Authorization of users of our app and portal
• Initiation and authorization of payments
• Monitoring of payments
• Reviewing status and workflow
• Receiving transaction reporting and get insight into data related to these data
• Initiation of FX transactions
• Other Treasury and Cash Management services
• Auditing the history of payments, transaction and reporting and user activity (Cobase and designated users of the client only). The data will also be used in case of a legal dispute
• Managing the users and authorization of the users of a specific client designated users only
The users of our portal get this access from a professional party. Due to this purpose at this time there are no scenario’s where we will process data of children.
Using personal data could happen in case of the following none standard cases:
(i) Misuse of products, services and facilities of financial institutions
(ii) (attempted) criminal or otherwise negative conduct
(iii) Violations of (legal) regulations. ING Global Data Protection Policy for Client, Supplier and Business Partner Data 7 / 27
(iv) Defending, preventing and tracing (attempted) (criminal or undesirable) conduct targeted towards the financial sector, the banks our clients use or Cobase or its Clients
(v) The use of and participation in warning systems (including sector-specific warning systems)
(vi) Compliance with legal requirements, such as anti-money laundering and anti-terrorist Financing
It is generally permissible to use Personal Data for the following Secondary Purposes but appropriate (additional) measures will be taken:
(i) Transfer of the Data to an Archive; or
(ii) Internal audits or investigations; or
(iii) Implementation of business controls; or
(iv) Statistical, historical or scientific research; or
(v) Dispute resolution or litigation; or
(vi) Legal or business consulting or
(vii) Insurance purposes.
Data that has been anonymised and can not be used to identify or related to the individual user can and will be used for a broader set of purposes e.g. optimising the use of the portal.
We do not plan at this time to use the data for direct marketing or automated decision making. This would trigger a change to this statement.
The basis of these purposes are:
• The contract with our clients
• This privacy statement which is accepted by the users
Personal data we store
We can use the following personal data:
• Date of Birth
• Mobile phone number
• Mail (preferably professional)
• Logs on actions user took on the Cobase portal/app
Please note: as part of the identification and authorization in the Cobase app and portal we use devices with a camera to scan a picture on the screen. The video taken by these cameras could accidentally include a person. These data are not stored or accessible by Cobase or other parties involved in the data processing.
Who has access to these data?
The intended parties who have access to these data are:
• The client who has provided you with access. This typically relates to their user management, auditing, cash management and Treasury Operation and related risk management and auditing
• Third parties in our processing (see below)
Third parties we use in processing
The data of users of our app and portal will be stored on the MS Azure cloud. A proper contract is in place to ensure that this statement is also enforced with MS Azure,
In case of legal, regulatory of fraud concerns personal data might be shared with external risk/legal fraud experts including experts from ING
Other third parties can be used in future without requiring individual consent. You will be notified of these parties via a change in this statement.
Incidentally we may use other consultant services from third parties requiring access to personal data. These consultants will be bound by the same policy rules as our own employees.
Policy statements regarding privacy
When creating our policies we had the GDPR/AVG in mind. The following elements are covered in our policies and other governance documents and are binding for our employees:
• In our HR policy we have embedded several measures to ensure we only hire reliable staff. This also applies to temporary staff and consultants.
• Ensure we have the appropriate technical measures to protect personal data
• Reviewing products regarding data protection, the role we have and resulting measures including informing the individual. We maintain a clear overview of the personal data we use, the type of individuals and our basis for this
• Ensure we understand for each product what our role is in subsequent data handling (e.g. data controller/processor) and there is a clear basis for this data and ensure we take measures appropriate with that role
• Ensure everybody in the organisation understands importance of handling data correctly. We therefore have a separate mandatory training regarding the handling of personal data to create awareness.
• Ensure we have a process to understand data implications for new and existing products, identify our role (data processor/controller) and establish if there is a proper basis to do this
• Ensure the individuals for whose data we are data controller are appropriately informed
• Ensure that 3rd parties who process data on our behalf sign appropriate contracts (e.g. data processor agreement)
• Execute Data Privacy Impact analysis where we start to process personal data or significantly change the processing
• Ensure we have a privacy officer guarding our data, take appropriate measures to guard the privacy of (personal) data that flow through our services and systems (covered in Information security/minimum standards), act on breaches (covered in NFR). The measures need to be checked against the GDPR/AVG (Algemene Verordening Gegevensbescherming)
• We adhere to our Corporate IT Security, Organisation policy and related topics such as Data Privacy.
• Breaches: Personal data is highly sensitive and breaches must be handled in a structured way. This can require informing the Dutch Data Protection Authority and the impacted individuals. The Privacy Officer coordinates the creation and updating of this process.
• Cobase has a separate process to handle requests from individuals to get insight into the usage of their personal data and requests for correction/deletion or cessation to process
• Product development: We specifically consider in the development of product what our role is regarding data (data controller/processor) associated with the product and take appropriate resulting measures. The complete set of required measures should be checked against the GDPR/AVG( Algemene Verordening Gegevensbescherming)
• Procedures are enforced and technological controls against inappropriate disclosure or leakage of sensitive data are in place
If you object to our handling of personal data or if this client you work for requires so we will deactivate you as a user.
When a user is deactivated part of the personal data are no longer visible in the app/portal. The actions this user took before deactivation can still be reviewed by designated users of the client. This is required for control and auditing purposes. The data also remain available in the Cobase backoffice systems for control and auditing purposes.
All personal data described in this statement will be removed no later then 7 years after user has been deactivated.
Insight and changes to your personal data
The majority of the personal data we store for the users of our apps and portal can be reviewed in our portal in the heading “My profile”. Correcting data is also possible in this screen.
Should you require insight through other means or would like to request correction/deleting of data please contact our privacy office via email@example.com stating in the subject “Personal data request”.
You should receive the insight into data within 1 month. In case the request is denied or delayed you will receive a specific reason and we will inform you how you can take steps in case you do not agree.
Cobase sees the proper handling of (personal) data of the utmost importance.
Should you not be satisfied it is possible to log complaints with the applicable Data protection regulator. Complaints around the handling of your data by Cobase can be logged with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague.
Changes to this privacy statements
We reserve the right to change this privacy statement. The changed statement will be made available through Cobase.com.
In case you do not agree to these changes you have the right to be removed as an active user. This means your personal data are no longer available in our app/portal. In the portal we will continue to show the previous actions you have taken before your access was revoked as far as relevant for the owner of the contract.
This privacy statement is version 1.0 finalised and published on 01-12-2017.