Privacy Policy
This is the Privacy Statement of ING Bank (Australia) Limited ("IBAL"),”, “we”, “us” and “our”). IBAL issues a wide range of banking, deposit and credit products and transaction services, and distributes ING-branded insurance and superannuation products (Products and Services). This Privacy Statement describes how we collect and handle personal information. IBAL is bound by the Privacy Act 1988 (Cth) and the Privacy (Credit Reporting) Code 2014. IBAL is also a holder of Consumer Data Right (CDR) data under the CDR regime. As a data holder, you may authorise us to share specified CDR data that relates to you that we hold, with third party accredited data recipients. This specified CDR data may contain your personal information. For further information on how we manage CDR data, see our CDR Policy, which is available here.
1. Purpose and scope of this Privacy Statement
At IBAL, we understand that your personal information is important to you. This Privacy Statement explains in a simple and transparent way what personal information we collect, record, store, use and process and how. When handling your data we seek to ensure that the right people are using the right data for the right purpose.
This Privacy Statement applies to
All past, present and prospective customers who are individuals about whom we collect personal information when we provide, distribute and/or consider applications for our Products and Services. This includes sole-proprietor and partnership businesses, legal representatives or contact persons acting on behalf of our business and corporate customers.
Non-IBAL customers. These could include anyone who makes a payment to or receives a payment from an IBAL account; anyone that visits an IBAL website, branch or office; professional advisors; joint account holders of accounts held with other financial institutions, shareholders; anyone who is a guarantor; ultimate beneficial owner, director or representatives of a company that uses our services; debtors or tenants of our customers; anyone involved in other transactions with us or our customers. If we have collected your personal information from someone you know, we have asked them to provide you with a Privacy Notice which sets out how we handle, collect, use and disclose your personal information.
We obtain your personal data in the following ways:
Directly, from you when you enquire about, apply for and use our Products or Services, become a customer or guarantor, register for our online services, complete a form, sign a contract with IBAL, contact us through one of our channels or visit our websites including through cookies and comparable technologies.
Indirectly, from your employer (when it is an IBAL customer), a person whom you have a joint account with, your broker or financial adviser, or when you are appointed to act as a representative or contact person of your employer when it becomes a prospective customer.
From other available sources such as debtor registers, land registers, commercial registers, registers of association, the online or traditional media, publicly available sources or other companies within ING Group or third parties such as payment or transaction processors, credit agencies, other financial institutions, commercial companies, or public authorities.
When you apply for a specific Product or Service, we may sometimes use cookies to collect information from you. A cookie is a tiny file we store on your computer, tablet or mobile phone when you use our websites or apps. We refer you to our cookie notification as published on the IBAL website at www.ing.com.au/privacy for more information about the use of cookies and comparable technologies.
2. The types of personal information we process
Personal information refers to any information or an opinion about an individual that can be linked to a natural person. We may also process sensitive information which is a subset of personal data.
Identification data: the name, date and place of birth, government identification number, email address, telephone number, postal and residential addresses, title, nationality and a specimen signature, tax identification number/social security number;
Transaction data, such as your bank account number, any deposits, withdrawals and transfers made to or from your account, and when and where these took place, payee details, transaction identifiers and associated information;
Credit information such as identification information, consumer credit liability information, repayment history information, financial hardship information, the type of consumer credit or commercial credit and the amount of credit sought in an application, default information, payment information, new arrangement information and any opinion that the customer has committed a serious credit infringement;
Credit eligibility information such as credit reporting information about the individual that was disclosed to us by a credit reporting body. We use this information to derive information about you. The information we derive about you relates to your credit worthiness and information that can be used to establish your eligibility for consumer credit;
Financial data, such as invoices, credit notes, payslips, payment behaviour, the value of your property or other assets, your credit history, credit capacity, tax status, income and other revenues financial products you have with IBAL, whether you are registered with a credit register, payment arrears and information on your income, electronic payment instrument data such as card number, expiry date or card verification code (CVV/CVC);
Socio-demographic data, such as your age, gender, studies, job position, marital status, number of dependents and nationality. Where local law considers this sensitive personal information, we respect the local law;
Online behaviour and information about your devices, such as your location, the IP address and the device ID of the mobile device or computer you use when you visit on IBAL websites/webpages and access our apps and platforms;
Data that you share with us. For example, information about your interests and needs that you may share when you contact our call centre or fill in an online survey or when you use our platforms or fill in surveys;
Audio-visual data; where applicable and legally permissible, we process surveillance videos at IBAL premises, or recordings of phone or video calls or chats with our offices. We can use these recordings to verify telephone orders, for example, or for fraud prevention, analysis or staff training purposes;
Your interactions with IBAL on social media; such as Meta (Facebook), Twitter, Instagram, LinkedIn and YouTube. We follow public messages, posts, likes and responses to and about IBAL on the internet.
Information related to your location when performing a payment or when accessing certain products/services for example when you withdraw cash from an ATM.
Sensitive personal information
Sensitive personal information is personal information relating to your health, ethnicity, religious or political beliefs, genetic or biometric data. We may process your sensitive personal information as further detailed below in section 3 (What we do with your personal information) if we have your explicit consent or when we are required to do so by applicable local laws and regulations such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML Laws).
Please note that if you instruct us to make a payment to a political party, trade union, or to a religious institution or health care institution such as hospitals, health clinics, or extended care facilities, this qualifies as sensitive personal information. Therefore, IBAL will not process such sensitive personal information for other purposes than executing the transaction or with your explicit consent. However, it is possible that as a result of our obligation to comply with AML Laws and our interest in preventing fraud, we may further process such data for example to verify the origin of the funds but only in the context of AML Laws.
Children's data (only applies to our retail customers)
We only collect personal information about children if they have a Product or Service or if you provide us with personal information about your own children in relation to Product and Services you obtain from us. We will seek parental consent when it’s required by local law.
3. What we do with your personal information
Processing means every activity that can be carried out in connection with personal information such as collecting, recording, storing, adjusting, organising, using, disclosing, transferring or deleting it in accordance with applicable laws. We only use your personal information for:
Performing agreements to which you are a party or taking steps prior to entering into these agreements. We use your personal information when you enter into an agreement with us, or when we have to execute our obligations under these agreements.
For instance, we use your account details when you ask us to make a payment or carry out an investment order or to provide you statements of your accounts. We also use these account details to, when necessary, block payments, investigate and remediate product dysfunctionalities and solve claims, petitions and complaints regarding the requested services. We also use your personal information to contact you in order to, among others, notify you on contractual term changes, the expiry of a deadline/contractual condition, registering a debt or to provide you with information related to your services/relationship. We rely on the lawful basis of ‘necessary for performing agreements’ when we use your personal information for these and similar purposes. We use your credit information and credit eligibility information to make an assessment about your eligibility for credit. We also disclose the information we have collected about you to credit reporting bodies to obtain your credit report and credit score.
Compliance with legal obligations to which we are subject.
We use your personal information to comply with a range of legal obligations and statutory requirements including banking and financial regulations that oblige us to perform a/an:
Integrity check: When entering into a customer relationship with you, we have a legal obligation to consult available incidents registers and warning systems and national and international sanctions lists;
Identity verification: When entering into a customer relationship with you, we have a legal obligation to confirm your identity. We can do this by making a copy of your identity document, which we will only use for identification and verification purposes. For checking your integrity and identity, we may also rely on checks performed by other financial institutions;
Credit check: Before entering a customer relationship with you, we have a legal obligation to check whether you qualify as an acceptable customer. We assess your credentials from a risk perspective and form a view whether you can meet your financial obligations towards us as further detailed in Section 6 (Automated decision-making and profiling);
Fraud prevention and anti-money laundering and terrorism financing check: we have a legal obligation to check for potential fraud, money laundering and terrorism financing. We monitor, among others, unusual transactions, sanctions list as further detailed in Section 6 (Automated decision making and profiling);
Regulatory and statutory reports and data requests from our regulators, law enforcement agencies, tax authorities and external dispute resolution schemes as further detailed in Section 4 (Who do we share your data with and why).
To help us run our business and serve you better, including:
Credit risk and behaviour analysis: We use and analyse data about your credit history and payment behaviour to assess your ability to repay a credit facility that you have with us and help you manage your obligations under such credit facility.
To develop and improve our Products and Services. We may use your personal information when analysing your visit to our website or app with the aim of improving these. We use cookies and comparable technologies for this. For more information, we refer to our Cookie notification as published on our site. We will furthermore ask you for your feedback on our current Products and Services or ask for your opinion on new product ideas. This can include recording conversations you have with us, but we will always inform you upfront about this.
To promote, offer and distribute to you our Products and Services. We will process your personal information when informing you about Products and Services that we offer and/or distribute. We may also share your personal information with our partners to promote, offer and distribute ING-branded Products and Services. Of course, if you don’t want to receive these marketing communications you have the right to object or to opt-out. We understand you have changing needs. Therefore we strive to offer you a variety of services in order for you to select those that will best suit your specific situation. To improve our service offerings and our likelihood of presenting you with suitable options to select from, we may:
take into account your socio-demographic and financial data;
analyse your habits and preferences in our various communications channels, visits to our website or other online environments, etc.;
analyse the products and services that you have already purchased from us.
To ensure an effective and efficient internal business process execution and management reporting. We process your data for our internal processes and operations and to help our management to make better – data driven - decisions about our operations, policies, strategies and services. For that, we will always choose aggregated data, i.e. not identifiable to you as an individual, if we can. This includes:
analysing our market position in different segments;
performing cost and loss analysis;
training our staff for example by analysing recorded phone calls (when recording is permitted by local law) in our call centres to improve our calling scenario;
automating our processes such as application testing, automatic filling of complaints handling, etc.;
conducting litigation and complaint management.
To protect your vital interests.
We process your personal information when necessary to protect your interests which are essential for your life or that of another natural person. For example for urgent medical reasons pertaining to you.
To respect your choice, we request your consent for specific personal information processing.
For certain types of personal information processing, we will provide you with specific information about the process and request your prior consent before processing your personal information. This may include:
the use of biometric data such as face or fingerprints as authentication and/ or verification purposes such as for access to mobile apps.;
recording of your conversations with us online, by telephone or in our branches and offices.;
promotional activities where we inform you about products and services from partners of IBAL.;
You may revoke your consent anytime as further detailed below.
4. Who we share your personal information with and why
There are situations in which we need to provide your personal information to other parties involved in the provision of our services, which could be data transfers within the ING Group and to third parties. The ING Group and third party entities who we may share your personal information with may be located overseas. As ING Group operates in over 40 countries, it is likely that your personal information will be disclosed to overseas recipients. Where your CDR data includes personal information, we may disclose that personal information to an accredited data recipient.
Within the ING Group
IBAL is part of the ING Group which provides financial and insurance or brokerage services in over 40 countries. The countries to which your personal information is likely to be disclosed includes The Netherlands, Philippines, Poland, Romania, Singapore, and Slovakia.
For more information about the ING Group, we refer you to www.ing.com. The ING Group is committed to your privacy and it has adopted strong principles in that respect through its GDPP. The GDPP is approved by the Dutch Data Protection Authority which is the lead supervisory authority for ING Bank N.V. (our parent company) and is binding on all ING entities, subsidiaries, branches, representative offices, and affiliates worldwide (also known as "Binding Corporate Rules")
IBAL may share your personal information with ING Bank N.V. to ensure that the ING Group will be able to comply with its legal obligations and/or for reasons of substantial public interests:
Such as:
to comply with any regulatory and statutory reports and data requests as required by ING Group’s European regulators like, among others, European Banking Authority (EBA), European Central Bank (ECB) and the Financial Stability Board (FSB). When possible, personal information will be aggregated meaning that only information about groups of clients will be shared with the Group’s regulators to ensure that it can no longer be linked back to you.
for the development (also on behalf of IBAL) of ING’s internal credit models. Under EU banking rules, ING Group is obliged to develop these credit models to be able to calculate any counterparty risks and exposures which allows ING Group to determine our risks as well as the extent of the financial buffer we must hold, when providing financial services to you.
for the development (also on behalf of IBAL) of ING’s Know Your Customer (KYC) models. To safeguard the ING Group against involvement in Financial Economic Crimes, KYC models are being developed on a group level for client and transaction screening to detect (potential) criminal activities. These KYC models incorporate mandatory requirements derived from, among others, the EU Directives and Regulations in the area of prevention of money laundering and terrorist financing, the Basel Committee on Banking Supervision Guidelines (BCBS) and EU, US and UN sanctions laws and regulations.
IBAL also continues to strive to make the everyday procedures more efficient and effective since it is in our legitimate interest to offer you the best possible services at competitive rates. As such, IBAL will share your personal information with ING Group and other ING entities to centralise certain operations to achieve economies of scale.
Such as:
for, among others, the alert handling, fraud/ KYC screening, operational handling of payments and other transactions and quality assurance. For efficiency reasons, these operational activities are centralised in ING Business Shared Services (IBSS) entities located among others in Slovakia, Poland and the Philippines. These IBSS entities will process your data on behalf of IBAL and are fully subject to the GDPP to ensure an adequate level of data protection.
the development of models mainly related to improving customer processes such as optimisation of account management and product management in customer channels. For efficiency reasons, these models are mainly developed by our analytics department on group level in The Netherlands, Poland and Romania. Your personal information will be pseudonymised when transferred for this purpose.
Please note that IBAL will remain responsible to you for ensuring that the processing of your personal information - including any processing carried out by other ING entities on our behalf as set out above - complies with the applicable data protection regulations. Within the ING Group, there are contractual arrangements in place to ensure that your personal information will only be processed for a specific purpose on the basis of an appropriate legal basis (taking into account any effect such processing may have on you) and that adequate organisational and technical measures have been implemented to protect your rights. We will also remain responsible to handle any request you may have in relation to your privacy rights as described below.
With third parties
We also share your personal data with the following categories of third parties:
Government, Supervisory and Judicial authorities
To comply with our regulatory obligations we are obliged by law to disclose personal information to the relevant government, supervisory and judicial authorities, such as:
Public authorities, regulators and supervisory bodies and statutory approved external dispute resolution schemes such as the Office of the Australian Information Commissioner (OAIC), Australian Communications and Media Authority (ACMA), Australian Financial Complaints Authority (AFCA), Australian Transaction Reports and Analysis Centre (AUSTRAC), Australian Regulation Prudential Authority (APRA), Australian Securities and Investment Commission (ASIC), Australian Competition and Consumer Commission (ACCC) Reserve Bank of Australia (RBA) and Banking Code Compliance Committee (BCCC) in Australia.
Australian Tax Office (ATO) may require us to report customer assets or other personal information such as your name and contact details and other information about your organisation. For this purpose, we may process your identification data like social security number, tax identification number or any other national identifier in accordance with applicable local law.
Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal requests.
Other financial institutions
To process certain payment and withdrawal services, we share your personal information or the personal information of your representative (if any) with another bank or a specialised financial company. We also share your personal information with financial sector specialists who assist us with financial services like:
Exchanging secure financial transaction messages such as Worldwide Interbank Financial Telecommunication (SWIFT);
Payments and credit transactions worldwide including MasterCard and VISA when applicable;
Processing electronic transactions worldwide;
Settling domestic and cross-border security transactions and payment transactions;
Account information services; when you have specifically instructed an account information service provider to retrieve account information from your IBAL accounts on your behalf, we are obliged to share the necessary transaction data with such provider as long as you have consented to this;
Payment initiation services; when you have specifically instructed a payment initiation service provider to initiate payments from your IBAL accounts on your behalf, we are obliged to share access to your accounts with such provider as long as you have consented to this.
Service providers and other third parties
When we use other service providers or other third parties to carry out certain activities in the normal course of business, we may have to share personal information required for a particular task. We carefully select these companies and clearly agree with them on how they are to handle your personal information. We remain responsible for your personal information. These service providers support us with activities like:
Designing, developing and maintaining internet-based tools and applications;
IT service providers who may provide application or infrastructure (such as cloud) services;
Marketing activities or events and managing customer communications;
Preparing reports and statistics, printing materials and designing products;
Placing advertisements on apps, websites and social media;
Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
Identifying, investigating or preventing fraud or other misconduct by specialised companies;
Performing specialised services like postal mail by our agents, archiving of physical records, contractors and external service providers;
Carrying out securitisation arrangements (such as trustees, investors and the advisers) or;
Where your CDR data includes personal information, we may disclose that personal information to an accredited data recipient.
Independent agents, brokers and business partners
We may share your personal information with independent agents, brokers or business and service partners that help us to supply Products and Services such as:
mortgage insurers,
organisations involved in our funding arrangements (like loan purchasers, stockbrokers, portfolio service providers and rating agencies) and
organisations that provide us with information, including publicly available information, so we can tell you about Products and Services we think may be of interest to you. Of course, if you don’t want to receive these marketing communications you have the right to object or to opt-out.
We may also share your personal information with external parties involved in the offer, distribution and service of the ING-branded products and services (i.e. white label products and services) such as
nib who offer and administer the ING Health Insurance product;
Auto & General entities who offer, distribute and administer the ING General Insurance and ING Roadside Assistance products; and
Diversa Trustees Limited who offer and manage service providers for the ING Living Super product.
They are registered in line with local legislation and operate with due permission of regulatory bodies.
Researchers
We are always looking for new insights to help you get ahead in life and in business. For this reason, we exchange personal information with partners like independent market research companies, who we engage to ask you for your feedback about our current Products and Services or to ask for your opinion on new product ideas. We carefully select these companies and agree with them on how they are to handle your personal information. We remain responsible for your personal information. When possible, the personal information will be shared at an aggregated level to ensure the results of the research will be anonymous.
Credit reporting bodies
For customers who apply for a credit facility with us in Australia, you agree that we may exchange your personal information with a credit reporting body ("CRB"), including by sharing information about:
your identity
your credit worthiness
your credit history, including about the type of credit you have (like credit cards, personal loans and home loans), how much you have borrowed, if you've made your repayments (including repayments you're required to make under your IBAL credit facility with us) and if you've experienced financial hardship
whether you have committed fraud or another serious credit infringement, and
obtaining commercial credit information about you in order to assess an application by you for consumer credit.
The CRBs we use include Equifax Australia Information Services & Solutions Pty Limited ("Equifax") (equifax.com.au) and illion Australia Pty Ltd ("illion") (illion.com.au). The privacy policy of each of Equifax and illion explains how it manages your personal information and can be found on its website.
CRBs may include information that we provide in reports to other credit providers to assist those credit providers to assess your credit worthiness. We may ask a CRB to give us your overall credit score, and we may use credit information from CRBs together with other information to arrive at our own credit score of your ability to manage your credit obligations.
Pre-screening assessments
Credit providers (like us) can ask CRBs to use your credit information to pre-screen you for direct marketing purposes, but you can tell CRBs not to do this. However, by applying for a credit facility with us, you may still receive direct marketing from us (unless you ask us not to) that has not been 'pre-screened'.
Fraud - 'ban period'
If you believe, on reasonable grounds, that you have been, or could be, a victim of fraud (for example, someone else may be using your name to apply for credit), you can ask CRBs not to use or give anyone your credit information during a 'ban period'.
The 'ban period' is a period of 21 days starting on the day you make the request. That period can be extended on your request where the CRB believes on reasonable grounds that you have been, or are likely to be, the victim of fraud. By applying for a credit facility with us, you agree to us accessing your personal information held with a CRB, even if there is a ban period in place, for the purposes of assessing an application for credit or in order to collect overdue payments.
Credit providers
For customers who apply for a credit facility with us in Australia, we may disclose information about you (including about your credit worthiness, credit history and repayment history information) to other credit providers to assess an application by you for credit, to notify them of a default by you and to inform other credit providers who allege you are in default with them. We may also disclose your information to any person reasonably necessary for the purposes of that person taking an assignment of any contract the lender has with you.
5. Transfer of personal information outside the EEA
Whenever we share your personal information (in case EU data protection laws apply) with third parties or other ING entities located in countries outside of the European Economic Area (EEA) that do not offer an adequate level of data protection, we will make sure there will be adequate measures in place to ensure that your personal information is sufficiently protected.
For this purpose, we rely, amongst others, upon the following so-called transfer tools:
EU Model clauses or Standard Contractual Clauses; these are contractual clauses we agree with any external service providers located in a non-adequate country to ensure that such provider is contractually obliged to provide an adequate level of data protection.
Binding Corporate Rules; for personal information transfers within the ING Group, we also rely on binding internal Group policies (i.e. the Binding Corporate Rules) to ensure that ING entities located in a non-adequate country will adhere to an adequate level of data protection when processing personal information covered by EU data protection laws as further detailed in Section 4 (Who do we share your personal information with and why).
Furthermore, we will assess on a case-by-case basis whether any organisational, technical (such as encryption) and/ or contractual safeguards need to be implemented to ensure your personal information is adequately protected, taking into account the legal framework of the country where the data importer is located.
6. Tranfer of credit information or credit eligibility information outside of Australia
We are unlikely to disclose your credit information or credit eligibility information to entities that do not have an Australian link.
Automated decision-making and profiling
Automated decision-making is when we make decisions by technological means without significant human involvement. Profiling involves the automated processing of personal information with a view to evaluating or predicting personal aspects such as the economic situation, reliability or likely behaviour of a person.
Since IBAL serves a wide group of clients, it makes the use of automated decision-making and profiling imperative. Examples are:
Credit risk rating
We create a profile of you when you apply for a loan or credit in order to assess if you can meet your financial obligations towards us and to ensure that we do not offer loans that are not suitable for you. We assess the risk connected to a contract with you via a method called credit-scoring. Your credit score is calculated based on automated decision-making. You have to achieve a pre-defined minimum-score to ensure an acceptable risk for us.
Based upon the personal information provided by you, we consult external service providers and credit rating agencies to acquire relevant financial information (credit-rating, financial statements, turn-over/solvency, and payment history). If you already have, or had, a relationship with us in the past, we combine the aforementioned (external) financial information with internal payment history and transaction data related to you. In case you do not achieve the minimum-score, the automated credit-scoring will result in a decline. In that case, we will refrain from entering into an agreement with you since we deem the risks for you and us too high.
Prevention of fraud and money laundering and terrorism financing.
We are obliged to perform client and transaction screening to detect (potential) criminal activities. As a result, we pay particular attention to unusual transactions and to transactions that - by their nature - result in a relatively high risk of fraud, money laundering or terrorism financing. To do this we create and maintain a risk profile of you. If we suspect that a transaction is connected with money laundering or terrorist financing, we are obliged to report this to the authorities.
Factors that we take into account that may indicate an increased risk of fraud or money laundering and terrorist financing are:
Deviations in a person's normal spending and payment behaviour, such as unexpectedly large amounts being transferred or debited;
Payments to or from suspicious countries, stores or addresses;
Being listed on an internal referral register. ING's internal referral register is a list of persons and institutions with whom we no longer want a relationship. They are a risk to IBAL, its staff and/or its customers. Only employees of ING security departments can view this list;
Being listed on an external referral register. Such external referral register is a list of the banks in the Netherlands that includes persons and institutions who have committed fraud or otherwise pose a risk to the financial sector. Financial institutions in the Netherlands can check whether persons and institutions are on the list and they can add them to the list;
Being listed on any national or international sanctions lists.
7. Your rights and how we respect them
If your personal information is processed, you have privacy rights. Based on applicable laws, your privacy rights may vary from jurisdiction to jurisdiction. If you have questions about which rights apply to you, please get in touch with us through the email address mentioned in item 9.
You have the following rights:
Right of access
You have the right to ask us for access to your personal information or the information that we hold about you. To do so, please provide your request in writing to the IBAL Privacy Officer at GPO Box 4094, Sydney NSW 2001 or customer.advocate@ing.com.au. Please specify the information you wish to access, to help us quickly identify and retrieve that information for you.
Please note that requests for access to your personal information may only be made by you or by another person who you have authorised to make a request on your behalf, such as a legal guardian or authorised agent. We will require you to verify your identity, or the identity and authority of your representative, to our reasonable satisfaction.
We may impose a reasonable charge for providing access to this information to recover any expenses incurred in retrieving and collating the requested information. Where an access charge applies, unless you authorise us to debit your account with us, access won't be provided until we receive payment. We will respond to your access request as soon as possible and tell you how long it will take to provide the information. This may be up to 30 days in some circumstances.
We may exercise our right to deny access to particular information in certain situations, for example, where access may reveal our commercially sensitive decision processes (e.g. criteria for loan approvals), where the information relates to existing or anticipated legal proceedings, or where it will threaten the privacy of other individuals.
If we deny you access to your personal information, we will write to you to:
explain the reason your access request has been denied unless it would be unreasonable for us to do so in the circumstances; and
the avenues available to you to complain about our refusal.
If we refuse to give you access, if appropriate, we will attempt to find alternative means to enable you to access the information, for example, through a mutually agreed intermediary.
Right to rectification
For personal information that is not CDR data, we take reasonable steps to ensure that your personal information is accurate, up-to-date, complete, relevant and not misleading. For instance, we may ask you to confirm some of your details when you speak to our Contact Centre staff. However, please contact us if you learn that any of your personal information that we hold is incorrect, has changed or requires updating. You can update some of your personal information using online banking.
It may take 30 days or more to consider your correction request in unusual circumstances (e.g., where we are required to consult with other credit reporting bodies and/or credit providers in relation to the information).
We will promptly update your personal information if it is inaccurate, out-of-date, incomplete, irrelevant or misleading. If we correct the personal information the subject of your correction request and we have previously disclosed that information to a third party, we will notify that third party of the corrected information (if we're required to by law).
If we disagree with your request to correct your personal information, we will write to you to: explain the reason your correction request has been denied unless it would be unreasonable for us to do so; and the avenues available to you to complain about our refusal.
If we disagree with your request to correct your personal information, you also have the right to ask us to attach a statement that in your opinion the information is in your opinion inaccurate, out-of-date, incomplete, irrelevant or misleading. However, please note that this right does not apply to our refusal to correct your credit information.
For personal information that is CDR data, please refer to our CDR policy for information on:
the steps we take to ensure that the CDR data we are required or authorised to disclose is accurate, up to date and complete; and
the steps we will take if we receive a request from you to correct the CDR data that we have disclosed in relation to you.
Right to object to processing
You can object to IBAL using your personal information for purposes outlined at paragraph 3 above if you have a justifiable reason. We will consider your objection and whether processing your personal information has any undue impact on you that would require us to stop processing your personal information.
You may not object to us processing your personal information if:
We are legally required to do so; or
It is necessary to fulfil a contract with you.
You can also object to receiving commercial messages from us. When you become an IBAL customer, we may ask you whether you want to receive marketing communications. Should you later change your mind, you can choose to opt out of receiving these messages. For example, you can manage your preferences on our website.
In addition, even if you opt out of receiving marketing communications, we will alert you to unusual activity on your account, such as:
When your credit or debit card is blocked;
When a transaction is requested from an unusual location.
Right to object to automated decisions
We sometimes use systems to make automated decisions based on your personal information if this is necessary to fulfil a contract with you, or if you gave us consent to do so. You have the right to object to such automated decisions (for in relation to credit scoring as explained above) and ask for an actual person to make the decision instead.
Right to restrict processing
You have the right to ask us to restrict using your personal information if:
You believe the personal information is inaccurate;
We are processing the personal information unlawfully;
We no longer need the personal information , but you want us to keep it for use in a legal claim;
You have objected to us processing your personal information for the purposes described at paragraph 3 above.
Right to data portability
You have the right to ask us to transfer your personal information directly to you or to another company. This applies to personal information you have provided us directly and that we process by automated means with your consent or on the basis of a contract with you. Where technically feasible, and based on applicable local law, we will transfer your personal information.
Right to erasure (‘right to be forgotten’)
IBAL is sometimes legally obliged to keep your personal information. However, if you exercise your right to be forgotten, we will erase your personal information when:
We no longer need it for its original purpose;
You withdraw your consent for processing it;
You object to us processing your personal information for the purposes described at paragraph 3 above or for commercial messages;
IBAL unlawfully processes your personal information; or
Local law requires IBAL to erase your personal information.
Right to complain
Should you as a customer, or a customer’s representative, be unsatisfied with the way we have responded to your concerns, you have the right to submit a complaint to us. For example, if you have any complaints about how IBAL has handled your personal information or you wish to make a complaint about how IBAL has breached the Australian Privacy Principles, Division 3 of Part IIIA of the Privacy Act or the Privacy (Credit Reporting Code) 2014. If you are still unhappy with our reaction to your complaint, you can escalate it to the ING Bank data protection officer.
If you have a complaint or a concern about privacy at IBAL, including if you consider that we have breached the Privacy Act, the Credit Reporting Privacy Code or other applicable Privacy Code that applies to us, please contact the Privacy Officer by one of the means set out above. If you are not satisfied with how your complaint or concern about privacy is resolved, you can refer your complaint to Australian Financial Complaints Authority (AFCA). AFCA can be contacted on the following details:
Visit www.afca.org.au
Email info@afca.org.au
Call 1800 931 678
Write to Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
If you are not satisfied with how your complaint or concern is resolved by the relevant external dispute resolution body, you can then refer your complaint to the Privacy Commissioner. The Privacy Commissioner can be contacted on the following details:
Visit www.oaic.gov.au
Email enquiries@oaic.gov.au
Call the Privacy Hotline: 1300 363 992
Write to: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001
Please go to the "Complaints and Disputes" section of our website for information on how we deal with your complaints that are not privacy related.
Handling your complaints
We aim to:
acknowledge receipt of your complaint within 24 hours; and
resolve your complaint within 28 days. In certain circumstances that may not be possible. If we form the view that we can't resolve your complaint within 28 days, we will notify you of the reason for the delay and the expected timeframe to resolve your complaint.
Right to withdraw consent
If you have given your consent to us for specific processing of your personal information as set out in Section 3 (What do we do with your personal information), you can at any time withdraw your consent. From that moment, we are no longer allowed to process your personal information. Please be aware that such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Exercising your rights
To exercise any of the rights as set out above, please send your request using the contact details at paragraph 11 below.
When exercising your right, the more specific you are with your request, the better we can assist you. We may ask you for additional information to verify your identity. In some cases we may deny your request and, if permitted by law, we will notify you of the reason for denial of your request. If permitted by law, we may charge a reasonable fee for processing your request.
We want to address your request as quickly as possible. However, based on your location and applicable laws, the response times may vary. Should we require more time (than what is normally permitted by law) to complete your request, we will notify you immediately and provide reasons for the delay.
8. Retention
We do not store your personal information longer than we need to for the purposes (as set out in Section 3 (What do we do with your personal information)), for which we have processed it. This will be in most cases at least 7 years from the data of providing the relevant document except for customer verification records which are retained until the end of customer relationships. Sometimes we use different storage periods. For example, if the supervisory authority requires us to store certain personal information longer or if you have filed a complaint that makes it necessary to keep the underlying personal information for a longer period. If we no longer need your personal information as described above, we delete or anonymize the personal information, in accordance with regulatory provisions and applicable law.
9. How we protect your personal information
We take appropriate technical and organisational measures to ensure the availability, confidentiality and integrity of your personal information and the way it is processed. This includes state-of-the-art IT security, system and access controls, security monitoring, segregation of duties, etc. We apply an internal framework of policies and minimum standards across all our business to keep your personal information safe. These policies and standards are periodically reviewed to keep them up to date with regulations and market developments.
In addition, IBAL employees are subject to confidentiality obligations and may not disclose your personal information unlawfully or unnecessarily. To help us continue to protect your personal information, you should always contact IBAL if you suspect that your personal information may have been compromised.
10. Changes to this Privacy Statement
We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal information. This version was approved on 28 March 2024.
11. Contact and questions
To learn more about how we protect and use your personal information, you can send us an email to
privacyaccessrequests@ing.com.au
Write to:
IBAL Privacy Officer
GPO Box 4094