1. General information

KBC Group NV, Havenlaan 2, 1080 Sint-Jans-Molenbeek, Belgium, VAT BE 0403.227.515, RLP Brussels, www.kbc.com (referred to hereinafter as ‘KBC’) is the data controller of your personal data for the purposes of organising its General Meetings. Please read this Data Protection Statement carefully, because it contains essential information about how KBC processes your personal data. It also contains more information about your privacy rights and how you can exercise them.

KBC will take every measure to ensure your privacy and your data are protected at all times. You can read more about this in our Data Protection Statement, which tells you in detail what type of data this involves, how we protect it, for which purposes we use it, and how data is exchanged within and outside the KBC group. It also explains your rights and how you can exercise them.

KBC may amend this Data Protection Statement at any time.

2. To whom does this Data Protection Statement apply?

This Data Protection Statement applies to you as a:

• shareholder
• shareholder’s representative
• participant in the General Meetings (e.g., secretary, chairperson, member of the Board of Directors)

3. How does KBC obtain personal data?

KBC receives personal data because you personally take part in the General Meetings or your financial intermediary has provided certain data in the context of the General Meetings.

4. What personal data does KBC process?

• basic identification details such as your name, date of birth, nationality;
• contact details such as your e-mail address, address, telephone number;
• financial data such as the number of KBC shares with which you wish to participate in the General Meetings, your account number;
• information regarding your voting instructions and voting behaviour;
• image and sound recordings, for example, the image and voice of the chair of the General Meetings, the members of the Board of Directors, and the secretary – KBC will ensure that the attending shareholders and representatives are not visible on camera; should any of them speak during the General Meeting, their name(s) will be removed from the recording.

5. Purposes and legal ground for data processing

KBC processes your personal data for the following purposes:

• organisation and conduct of the General Meetings;
• remote participation using an electronic means of communication (if applicable) and the analysis and management of the attendance and voting procedures;
• recording and publication of the General Meetings;
• taking and publishing General Meeting minutes.

To this end, KBC invokes:

• a legal requirement it is subject to; these legal requirements may arise from, for example, corporate and tax laws;
• its legitimate interest, provided that the fundamental rights and freedoms of the data subject do not outweigh this interest.

6. Your rights

When KBC processes your personal data, you have certain rights: 

• You can inspect your data: you have the right to know what personal data we hold on you at any time, and also how KBC uses your personal data.
• You can have your data corrected: it can happen that certain data held on you by KBC is not (or no longer) accurate. You can ask for the data to be corrected or completed at any time.
• You can have your data erased or ask to restrict the processing of your data: if KBC has no overriding ground for processing your personal data (e.g., a legal requirement), KBC will erase it.
• You can object to your data being used for certain purposes: KBC can process data on the basis of legitimate interest. If you do not agree with this, you can object to it. If there are no overriding grounds not to do so (e.g., to combat fraud), we will comply with your request.

7. Your first points of contact

Please be as specific as possible when you wish to exercise your privacy rights, so that KBC can handle your request appropriately. KBC will need to be able to verify your identity in case someone else tries to exercise your rights. If you have any questions or feedback regarding the exercise of your privacy rights or you require assistance with the exercise of your rights through our digital applications, send an e-mail to mypersonaldata@kbc.be or contact your KBC branch or your KBC Insurance agent. If you are a customer and you use KBC Mobile or KBC Touch, you can easily activate your right of access or your right to object to direct marketing. You can consult, amend or terminate the use of certain data yourself using KBC Touch, KBC Mobile, Bolero Online, KBC Business Dashboard, KBC 4 Business or a branch ATM. If we can contact you digitally, we will give you access through the KBC Mobile app. If you prefer to receive your personal data through another channel (e.g., by post or e-mail), you should state this explicitly in your request.

If you do not agree with KBC’s point of view, be sure to visit the website of the Belgian Data Protection Authority. You can also lodge complaints there.

8. Cooperation, confidentiality and security

8.1. Access to and processing of your personal data at KBC

At KBC, only authorised persons have access to your personal data, and only if the data is relevant to their tasks. These persons are bound by a strict professional duty of confidentiality and must abide by all technical instructions to safeguard the confidentiality of your data and the security of the systems. When processing personal data, KBC also uses several processors, i.e. companies that process the data on KBC’s instructions.

8.2. Disclosure of information to third parties

KBC will not sell or lease your personal data to third parties. In rare cases KBC may be required to disclose your personal data to third parties pursuant to a court order or in order to comply with other mandatory legislation or regulations. KBC will make reasonable efforts to inform you of this in advance, except in cases where the law imposes restrictions.

8.3. Processors within the KBC group

For the processing of personal data, KBC makes use of processors within the KBC group based in the European Union such as, for example, KBC Global Services NV for ICT management.

8.4. Support from other processors

KBC may make use of other processors for the processing of personal data. These are companies which are permitted to process personal data on contract from KBC, for instance external service providers that KBC uses in the context of the aforementioned purposes such as:

• ICT and/or ICT security service providers;
• companies specialising in providing support for virtual meetings (e.g., LUMI);
• printers for printing and addressing;
• freelance translators and translation agencies.

8.5. Processing by other controllers

As data controller, KBC may also make use of other service providers or third parties who themselves are data controllers such as lawyers or notaries public.

9. KBC takes specific measures to protect your data

KBC ensures that strict rules are followed and that the processors concerned:

• only have the data they need in order to perform their tasks;
• have given KBC a commitment that they will process this data securely and confidentially, and only use it for carrying out their tasks.

KBC ensures that the European data protection standards for personal data are applied worldwide within companies belonging to the KBC group and their branches. KBC also ensures that companies and corporate branches of the KBC group take appropriate measures to protect the data of legal entities.

KBC takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorised parties or being accidentally altered or deleted.

Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself, and extra checks are also carried out by a specialist department in this regard.

10. KBC does not keep your data forever

KBC will not process personal data for longer than is necessary for the purposes for which it was collected, with due observance of the retention periods required under corporate and tax laws.

11. Data transfer outside the EEA

The law in some countries outside the EEA does not always provide the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, KBC Group NV can cover the deficiency by, say, agreeing the required contractual guarantees with those third parties (such as a model approved by the European Commission), providing control mechanisms and implementing technical and organisational measures.

The transfer of personal data to countries outside the European Economic Area or to international organisations was screened by KBC. This transfer either takes account of the European Commission’s list of safe countries or is based on reasonable and sufficient security measures or falls under a specific derogation from the GDPR.

The most important aspects of international data transfer are explained in more detail below. Feel free to e-mail mypersonaldata@kbc.be if you have any questions.

11.1. Processors outside the EEA

KBC always opts for the processing of personal data to take place within the European Union. Given the nature of certain processes (for example, when round-the-clock support is required), in some cases personal data may be transferred to processors outside the EEA.

Even if the data centre is located within the EEA, access from outside the EEA may still be possible in some cases (e.g., in case of technical problems, or when round-the-clock support is required). This is also considered data transfer outside the EEA.

For some processes, the processors’ data centres may be located outside the EEA or accessed from outside the EEA, as is the case for the United States of America.

Even if the transfer is subject to an adequacy mechanism (such as the EU-US data protection framework in the United States of America), KBC will still ascertain that third parties provide an adequate level of protection.

Some examples:

11.2. Data transfer to controllers outside the EEA

Similarly, when data is transferred to another controller in a country outside the EEA, these transfers are screened by KBC and the necessary measures are applied.

12. Amendments to the Data Protection Statement

KBC may amend this Data Protection Statement at any time. In order to keep you informed of the most recent amendments to the Data Protection Statement, KBC will update the revision date each time it is changed. The amended Data Protection Statement is valid on that date. KBC will inform you in advance of any important substantive amendments. You can also find more information about the Belgian Data Protection Act in general on the website of the Belgian Data Protection Authority, at www.dataprotectionauthority.be.