This privacy statement applies to you, if your personal data is processed by De Lage Landen International B.V.:

• as a customer, if a DLL Group subsidiary or branch office provides, or offers to provide to you, a financial solution.
• as a partner, (i.e. equipment manufacturers and their distribution partners from authorized distributors and independent dealers to resellers), if we seek to create or have a relationship with you.
• as a supplier, in the course of receiving products, services, or offers from you.
• as a customer, partner, supplier or other individual when you visit one of our websites, online applications or our offices.

Depending on the relationship, we may process personal data in different ways. If the manner in which we process personal data differs substantially, we will mark this out clearly within this privacy statement

When you interact or do business with DLL Group in one of the countries where DLL Group is present, you will have contact and/or a relationship with a local subsidiary or branch office. If such local relation involves processing of personal data, the privacy statement of the local DLL subsidiary or branch office will be applicable to such processing.

This privacy statement only applies to our customers, partners, suppliers and our online visitors and office visitors. If you are a job applicant or employee, you will be provided with another privacy statement covering how we manage your personal information for that relationship.

As a customer, partner, or supplier, you must not provide us with more personal information of yourself, your employees, representatives, clients, or Ultimate Beneficial Owners (UBOs) than we might need for a given purpose.

You must also inform your employees, representatives, clients, or UBOs about your intention to transfer their personal information to us. You may refer them to this privacy statement so that they can learn how and why we process their personal data.

Our contact information is:

De Lage Landen International B.V.
Vestdijk 51, 5611 CA Eindhoven, the Netherlands
+ 31(0)40233 99 11

We are a wholly owned subsidiary of Coöperatieve Rabobank U.A. (“Rabobank” and together with its subsidiaries, the “Rabobank Group”), a Dutch bank headquartered in Utrecht, the Netherlands.

De Lage Landen International B.V. is also a Dutch Bank. As a holding company DLL has subsidiaries and branch offices in more than 30 countries on all continents, together with DLL referred to in this Statement as, ‘DLL Group’. DLL sets the strategy for DLL Group and enters into strategic partnerships on a global level with international Partners.

These global partnerships are the basis for financial contracts that are entered into with customers by local subsidiaries of DLL Group.

DLL consolidates the business of DLL Group and aggregates and categorizes various data relating to the contracts and partnerships entered into by DLL Group. This aggregated data can include personal data and is used for reporting purposes, for example to regulators, and to analyze and monitor our business and portfolio.

A Data Protection Officer (“DPO”) has been appointed for DLL Group.

The DLL Group DPO can be contacted by email via privacyoffice@dllgroup.com.

“Personal data” is any information directly or indirectly relating to an individual, or any information that can be used to identify an individual.

Personal data is “processed” when any activity is undertaken on your personal data, such as collection, storage, access, use, transfer, disclosure, and deletion.

For customer, partner, and supplier relationships, the personal data DLL processes mainly consists of information relating to the customer’s, partner’s, or supplier’s directors, representatives, and, if applicable, UBOs. This is because DLL predominantly enters into customer, partner, and supplier relationships with legal persons (e.g., limited liability companies and corporations), rather than with individuals. But we also process personal data of organizations which are considered to be natural persons (e.g., sole proprietorships and specific partnerships with natural persons participating).

As part of these relationships, we may process the following personal data:

Contact and identification data
Your name, address, telephone number, (business) e-mail address, copy of ID, date of birth, business VAT number (if applicable), and copy of proof of residency.

Contract/agreement data
Contract number, contract duration, information concerning your financial situation, payment history, bank account details, risk profile, our products or services, and the process of obtaining financial services.

Data used to ensure your and our security, to prevent and investigate fraud, and to prevent money laundering and financing of terrorism
Personal data that are processed in the external and internal referral registers of Rabobank and any personal data processed in relation to credit reference agencies and in national and international sanctions lists.

Recorded calls, recordings of video chat and online chat sessions, video surveillance, and documentation of e-mails
Information concerning our conversations via telephone or in online chat sessions, inbound and outbound e-mail communications, and camera images that we record in our offices.

Data related to the use of our websites and online applications
Cookies or similar tracking technologies may collect your IP address, data about the applications and devices you use to visit our website and online applications.

We may collect special categories of personal data which are considered more sensitive, such as information relating to your racial or ethnic origin, criminal history, and health/biometric data. We will only process these special categories of personal data if necessary for the applicable purposes, as further described below.

Race or ethnic background / health data
For tax purposes and for certain anti-terrorism reasons, we are required to record information about your country of birth. We may also have/take/store your photograph or film you on our CCTV (closed-circuit television) if you visit our offices. However, we do not register your race, ethnic background or health data, and we do not use race, ethnic background or health data to make decisions.

Personal data concerning criminal convictions
We may process data related to your criminal record or criminal convictions in the context of anti-money laundering, fraud prevention, and regulatory reporting which may be obtained from open sources (e.g. media searches) or national sanction, fraud and crime prevention databases.

Data protection and privacy laws require us to have a lawful ground for processing your personal data. Depending on the purposes for which we process your personal data, the lawful ground may differ.

Consent
You give us your permission to use your data. You are always free to withdraw your consent.

Legal obligation
Legally, we are obliged to process your personal data.

Contractual necessity
We need your personal data to enter into a contract with you and comply with our contractual commitments to you.

Legitimate interest
We have a legitimate interest in processing your personal data, which is not outweighed by your interests, fundamental rights, and freedoms. For example, DLL has a legitimate interest in processing your personal data when requesting you to complete a survey on how we can improve our services.

When we establish a new relationship with a customer, partner or supplier
If we establish a new customer, partner or supplier relationship, then we will process the personal data of the relevant employees and the representatives of that customer, partner or supplier in the administration of the new relationship and as part of our due diligence checks.
Lawful ground: Contractual necessity

When we undertake KYC/AML, identity verification, and integrity checks
We must confirm the identity of our customers, our partners, their representatives and UBOs to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. We may do this by making a copy of identity documents, which we will only use for identification and verification purposes. We also consult available external and internal referral registers of Rabobank, incidents registers and warning systems, and national and international sanctions lists. We undertake these checks at the start of any contract negotiation and once a contract is live we will continue this monitoring on a regular basis.
Lawful ground: Legal obligation

Account management and contract management for customers, partners and suppliers
We process your personal data to establish and/or maintain our business relationship with you.
Lawful ground: Contractual necessity

When we improve the credit decisioning models
DLL in principal does not enter into business relationships with individuals but rather with legal entities. Therefore automated individual decision-making is not used by DLL. DLL, however, assists local subsidiaries of DLL Group in their (automated) credit scoring activities which may include individual decision-making. Such assistance includes, for example, the development and design of risk-models and so called scorecards.
Lawful ground: Legitimate interest

If you have a query on your contract
We will process your personal data if you contact us with a query about your contract. If you call our Customer Service team, we record these calls for monitoring and improvement purposes.
Lawful ground: Contractual necessity (managing queries) and Legitimate interest (call recording)

When we ask you for feedback
We may ask you to rate our services whenever we interact with you by email, or we may send you separate feedback requests (e.g., a feedback questionnaire) so that we can understand where we can make improvements.
Lawful ground: Legitimate interest

If we send you mail
If we send you hard copy documents via a postal service, we will share your name and contact details with the postal service provider.
Lawful ground: Legitimate interest

When we contact you about similar products or services
Where we have an existing customer relationship with you, we may contact you to make you aware of products or services that are similar and may be of interest.
Lawful ground: Legitimate interest

When we undertake direct marketing
If you are a potential new customer, we may contact you to make you aware of our products and services.
Lawful ground: Consent

When we share customer information with our partners to manage the relationship
We may share details of your asset purchase and contract details such as term as well as start and end dates with the partner who introduced you as a customer to DLL.
Lawful ground: Legitimate interest

When we build business relationships with new customers, partners and suppliers
We may obtain your contact and company details via our relationship with an intermediary with whom you have or had a business relationship, via Rabobank Group or via internet searches of publicly available information.
Lawful ground: Legitimate interest

To manage our risk
Based on European and Dutch laws, we are legally obliged to develop risk models, which can include personal data. This allows us to determine our risks, as well as the extent of the financial buffer we must hold, when providing financial services. These risk models calculate the chances of you getting in arrears. These enable us to prevent possible payment difficulties and/or handle these faster. We independently review the financial products we provide and our risk exposure to ensure fiscal responsibility.
Lawful ground: Legal obligation / Legitimate interest (when law does not specifically sets out we need to process personal data to meet this obligation)

For our financial planning, audits, regulatory, and internal reporting
We use personal data of our customers to populate aggregated reports which are required for financial and regulatory reporting. We also use aggregated data to construct strategic plans and develop and enhance our business processes.
Lawful ground: Legal obligation (audits and regulatory reporting) / Legitimate interest (planning and internal reporting)

If a company merger, acquisition, or divestment takes place
If we acquire, merge, or divest one of our business entities, we will process your personal data to transfer your contract to the relevant entity.
Lawful ground: Contractual necessity

In case of transfer of receivables/securitization
If we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable data protection and privacy laws.
Lawful ground: Contractual necessity

We process the personal data of visitors of our websites, online applications (e.g. portals, mobile apps) and offices for a variety of purposes.

When you visit our websites and online applications
We operate cookies or similar tracking technologies on our websites and online applications to ensure they function correctly. You can read more about how we use cookies or similar tracking technologies in our Cookie Statement.
Lawful ground: Consent (for functional, performance and marketing cookies)

If you access an online account on our online applications
If you are given a log in to a DLL customer or partner online web portal or mobile application, we will process your contact details and provide you with security credentials to enable you to access your account. Cookies and tracking technologies are in operation on these sites which you can read more about in our Cookie Statement.
Lawful ground: Legitimate interest

To manage our facilities
If you visit a DLL office, we operate CCTV and ensure access to offices is managed securely. Your image is captured by our CCTV systems and your contact details are recorded to provide you access to our offices via a secure pass.
Lawful ground: Legitimate interests

In addition, we may process the personal data of anyone who interacts with us for legal, compliance and business improvement purposes

To develop and improve our systems and processes
We may process personal data to develop and improve our systems and processes. When we test new systems, we will aggregate, anonymize, or scramble data so that it is no longer identifiable.
Lawful ground: Legitimate interest

To manage and evidence our compliance with data protection and privacy laws
If you exercise any of your rights under data protection and privacy law, we will process your data to manage your request. If we experience a data breach, we will process the data of impacted individuals as required to mitigate risk and inform you of a breach where it is required.
Lawful ground: Legal obligation

If you make a complaint
We will process your contact details and any supporting information to administer, investigate, and respond to your complaint.
Lawful ground: Legal obligation

When we make or receive a legal claim
We will process personal data if we make or receive a legal claim in respect of the contract we have with you. We may share your personal data with legal specialists for the purpose of defending our legal rights.
Lawful ground: Legal obligation

For legal and regulatory compliance purposes
In some cases, we may be instructed by relevant government or supervisory authorities to process or share your personal data to comply with a regulatory requirement, court order or assist with an investigation.
Lawful ground: Legal obligation

DLL in principal does not enter into business relationships with individuals but rather with legal entities. Therefore automated individual decision-making is not used by DLL. DLL, however, assists local subsidiaries of DLL Group in their (automated) credit scoring activities which may include individual decision-making. Such assistance includes, for example, the development and design of risk-models and so called scorecards.

DLL is subject to the Rabobank Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”). This means we must meet minimum standards in the collection and processing of personal data.

DLL is committed to taking the necessary organizational and technical measures to protect your personal data when we process it and share it with third parties. These include:

• All our employees are subject to confidentiality obligations to ensure the adequate protection of your personal data.
• We use appropriate security measures to ensure the confidentiality, integrity, and availability of your data, as well as certifying systems and services which are resilient and are able to restore data in the event of a data loss.
• Where possible, we aim to secure your personal data by lessening or removing personally identifying elements.
• We regularly evaluate the effectiveness of our technical and organizational measures to ensure continuous improvement in the security of processing personal data.
• We usually only process your personal data for the purposes for which these were originally collected. Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose closely relates to the original purpose.
• When we share your data with third parties outside of the Rabobank Group, we perform due diligence and thorough assessments of those parties and verify the secure processing of your personal data by way of contractual terms and conditions.

The Rabobank Privacy Codes are available on our website

Sometimes we may have a clear and legitimate reason to share your data with other parties.

Sharing data within the DLL Group
As a global organization personal data may be transferred to other entities in the DLL Group who provide operational support enabling the delivery of better customer services. An example of this is when operational support is provided by our shared service center based in India. We also provide products and services to global partners and customers and collaborate across the various DLL entities to deliver global solutions.

Sharing data within the Rabobank Group
DLL is a wholly owned subsidiary of Coöperatieve Rabobank U.A., a Dutch Bank with registered office in Amsterdam, the Netherlands (“Rabobank”). The “Rabobank Group” consists of Rabobank plus all its subsidiaries. There may be times when we share personal data with Rabobank or other Rabobank Group entities. For instance, you may be a customer and/or partner of Rabobank and DLL, respectively, and we might share your data internally to avoid a duplication of your efforts. Alternatively, we may share your data with Rabobank (or vice versa) if we think they might have a financial product that might be of interest to you.

Sharing data outside the Group
Like any other company, we rely on the services of third parties.

When we engage specialist suppliers, consultants, or contractors to assist us in running our business, we may share your personal data with them where it is necessary for the service they provide to us. For instance, we may use a third party for parts of our Know Your Customer checks or use services hosted in a third party cloud environment.

Any third party that we employ is checked to ensure they are reliable, and we only engage them where they enter into a proper contract with us and implement appropriate security and other measures to guarantee that your personal data remains confidential.

When legally obligated to do so, we will share your personal data with government authorities, regulators or supervisory authorities, and law enforcement agencies.

Your personal data may be transferred to a country outside the European Economic Area (EEA) that provides a lower level of protection to personal data than the legislation in the EEA.

Transfers within the Rabobank Group
When we share your data with other entities of the Rabobank Group that are in countries other than the country in which your personal data was originally collected, we rely on the Rabobank’s Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”) which are a set of rules that all Rabobank Group entities must comply with to ensure an adequate level of protection for your personal data. Because of these codes, the same rules apply to all entities of the Rabobank Group, permitting us to share data within the Rabobank Group. The Rabobank Privacy Code is available on our website.

Transfers outside the Rabobank Group
When we transfer your data to a third party located in a country outside the EEA that provides a lower level of protection for personal data, we take extra measures to protect your data.

We will apply additional safeguards so that your data is protected to the same level as the data protection and privacy laws in the EEA. This includes undertaking transfer impact assessments, implementing contractual measures approved by the European Commission, and implementing other extra security measures where needed.

We do not store your personal data for longer than we need to achieve the purposes for which we have collected it or for the secondary purposes for which we reuse it.

We have a retention policy which specifies how long we store data. In most cases, this is 7 years after the end of the contract or your relationship with DLL. Sometimes this period is longer, for example, if applicable law requires longer retention, if a supervisory authority asks us to do so, if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving or legal proceedings. Sometimes we use shorter retention periods, for example for telephone call and camera recordings.

We have implemented appropriate technical and organizational measures to ensure that only people that have a right to access your information can access it. For example, our marketing department has access for a shorter period compared to our tax department.

We will delete personal data at an earlier time if you request us to delete your personal data, unless another law prevails.

Global data protection and privacy laws differ when it comes to individual rights regarding personal data. DLL, however, offers all individuals the following rights concerning the processing of their personal data:

Access and Rectification
You can ask us to access the personal data we hold about you. Where you believe that your personal data is incorrect or incomplete, you can ask us to correct or add more detail to your personal data.

Erasure
You can ask us to erase your personal data processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will fulfill your request.

Restriction
You can ask us to limit the personal data we hold about you. We may refuse this type of request if we have a lawful reason to continue holding your personal data (e.g., the exercise of a contract, a legal archiving duty, or the establishment, exercise, or defense of legal claims).

Portability
You have the right to ask us to provide to you a copy of your personal data in a structured and machine-readable format or to transfer your personal data on your behalf to a third party. Transfer of personal data directly to a third party can only be done if it is technically possible.

Objection
You have the right to object to the processing of your personal data. If you object to our processing of your information, we will stop the processing where there is no overriding legal or regulatory requirement. If an overriding requirement exists, we will inform you of this.

Consent withdrawal
If you have given your consent to us to process your personal data, you can withdraw your consent at any time. We will stop any processing allowed solely by consent within 30 days of receiving your request.

For questions related to this privacy statement, please contact our local privacy officer or local compliance officer via: privacyoffice@dllgroup.com

If you would like to exercise any of your rights, please do so by completing this form:

We will respond within one month after we have received your request. In some cases, however, we may need to extend this period for up to another 2 months. We may need to ask you for some additional details to clarify your request or provide verification of your identity.

We will do our best to handle your request, question, or complaint quickly and efficiently.

If you are unhappy with how we handle a request, question, or complaint, you can contact your local Data Protection Authority. You can find the contact details of your local Data Protection Authority below:
Autoriteit Persoonsgegevens
P.O. Box 93374 The Hague, the Netherlands
Telephone number: +31 (0)70 888 85 0

This privacy statement will be updated from time to time in case of additional legal requirements or if we process personal data for new purposes. Please note that you can find the latest version of this Statement on our website www.dllgroup.com