Privacy Statement

Stichting Rabo Foundation (‘Rabo Foundation’, ‘we’, ‘our’) processes personal data in order to carry out its mission as a foundation that supports social and economic development worldwide. We handle your data with care and in accordance with the General Data Protection Regulation (GDPR). This Privacy Statement explains which personal data we process, for what purposes, how long we keep them, and what your rights are.

Privacy Statement - January 2026

Personal data
These are data that either directly or indirectly say something about you, such as your name and address. They’re not the same as data pertaining to a legal entity, such as a company or corporation. But data relating to a legal entity’s contact person or representative are considered to be personal data.

Processing
Anything you can do with personal data, including collection, storage, use, transfer and deleting your data.

Rabo Foundation processes personal data when we have a business relationship with you, when we want to enter into one, or when we’ve had one in the past. We also process your data when we have had contact with you and/or your representatives. We receive your personal data because you provide it to us, for example via our website, via e-mail or over the telephone.

We can also receive your personal data from public sources, such as public registers, newspapers or the internet, or from a third party if you have granted them permission to share your data with us. We may also receive personal data from partner organisations when we jointly execute programs or financing activities, and only when such sharing is lawful.

We may process the following personal data:

Identity and contact details, such as your name, address, telephone number, e mail address, and—where necessary—information from an identification document. We use these data to identify you, to communicate with you, or to prepare and execute an agreement.

Citizen Service Number (BSN), but only if we are legally required to process it.

Information you share with us, including e mails and other communications.

Financing‑related information, such as financial statements, repayment information, project performance reports, risk assessments, and information necessary for due‑diligence checks where required by law (e.g., anti‑money laundering requirements.

Data we exchange with service providers who support our activities, such as event organisers, IT providers or newsletter services. We only share personal data with such parties when necessary and always under appropriate safeguards. We may also share your data with third parties at your request.

Organisation related information, when you act on behalf of an organisation we interact with.

Content relating to your interactions with us, such as grant applications or other submitted documents.

Technical data generated through your use of our website, such as cookie or analytics information, see our Cookies Statement.

We process personal data only when we have a valid legal basis for doing so. In many cases, we are required to process your data because of legal obligations that apply to foundations. When a legal requirement does not apply directly, we may still process your data if we have a legitimate interest in doing so. In such cases, we carefully balance our interests against your right to privacy. We may also process personal data when this is necessary to prepare or enter into an agreement with you.

We may process your personal data, for example, when:

a) We have, seek, or have had a relationship with you.
In these situations, we need personal data to manage and maintain the relationship or to carry out related activities.

b) It is necessary to ensure security.
This includes protecting the security of our systems, our communications, and our organization. Where required by law, this also includes measures to prevent fraud or other harmful activities.

c) You act on behalf of an organization.
If you contact us or work with us in a professional capacity, we may process your personal data to verify your role or authority to represent your organization.

Rabo Foundation does not provide personal data to other parties for commercial purposes and does not sell personal data under any circumstances.

In addition, we process personal data for purposes such as:

Reviewing and managing financing applications

Assessing, issuing, and managing financial products such as loans, guarantees, or other financing instruments, including repayment monitoring and risk management

Maintaining relationships with partners and beneficiaries

Organising meetings, events, and communication activities

Complying with legal obligations applicable to foundations

Ensuring the secure and effective functioning of our website

Legal bases for processing

We process your personal data based on one or more of the following legal bases:

Your consent, when you have given it

Performance of an agreement (including grant agreements) or steps taken at your request before entering into an agreement

Compliance with a legal obligation

Legitimate interest, such as ensuring the effective operation of our foundation and improving our services

We retain personal data only for as long as necessary to fulfil the purposes for which the data were collected or for which they are further processed. Rabo Foundation follows an internal retention policy that specifies how long different categories of data may be kept. In many cases, this period is up to seven years after the end of an agreement or your relationship with Rabo Foundation, in line with Dutch legal and administrative requirements.

In some situations, we may need to keep personal data for a longer period—for example, when a complaint, legal obligation, or other requirement makes extended retention necessary.

We apply the following retention periods:

Project and financing related data (e.g. loans, grants & guarantees etc.): generally up to 7 years after the completion of a project or funding period.

General contact and communication data: retained as long as needed to respond to or manage your request or interaction.

Cookie related technical data: retained according to the specific cookie or local storage retention periods described in our Cookies Statement.

We occasionally call on other parties or business partners to assist us, and that may involve processing your personal data on our behalf. For example, if a printer prints envelopes for us with your name and address. Or if external parties conduct market research or store data for us. We may also provide your data to IT suppliers. Before we provide your personal data to another party, we first determine whether they are sufficiently reliable. We can only call on other parties if it suits the purpose for which we have processed your personal data. The other party can only be given our assignment if it makes specific agreements with us and has shown to have taken suitable security measures and can guarantee confidentiality.

We may also share your personal data with other entities within the Rabobank Group and their affiliates.

If we pass on your data to external parties outside the European Union (EU) or European Economic Area (EEA), then we always take extra measures to protect your data. Some non-EU countries do not use the same rules to protect your data as those required within the EU. If we utilize the services of third parties outside the EU/EEA, then we always assess whether the services are secure enough. The European Commission has determined that some countries provide an ‘adequate’ level of personal data protection. In other countries, we use the contractual agreements approved by the European Commission. We also arrange for additional security measures if necessary.

A. Right to view and correct
You may ask us which of your personal data we process, and we can show you which of your personal data we have processed. You can also ask us to change or add to any incorrect or incomplete personal data.

B. Right to data deletion
You may occasionally ask us to delete personal data that we have stored. We are not always required to do so, and sometimes we are not allowed to delete them, for example if we are legally required to store your data.

C. Right of limitation
You can ask us to temporarily process less of your personal data.

D. Right of data portability
You have the right to ask us for a structured and machine-readable format of the data that you have provided to us with your consent or in the context of an agreement with us, or to transfer the data to another party (if technically feasible).

E. Right of objection
If we process your data because we have a justified interest in doing so, then you have the right to object to the processing of your data. We will then reconsider whether your data may no longer be used for that purpose. If your interest outweighs ours, then we will stop processing the data. We will also explain the reasoning behind our decision.

It is possible that we cannot comply with your request, for example if it would impair the rights of others or because we are not permitted to do so by the law, police, public prosecutor’s office or other government agency. Or if we have weighed the interests and found that the interests of Rabo Foundation or other parties in processing the data must take precedence. In that case, we will also notify you of our decision. We will also inform you when we change your data or delete the data at your request, and if possible we will also notify the recipients of your data.

Do you have questions or comments about this Privacy Statement? Or do you have questions or complaints about how we process your personal data?

Then please feel free to contact:

Stichting Rabo Foundation
www.rabofoundation.com
E-mail: rf.complaints@rabobank.nl
Corporate seat: Utrecht
Visiting address: Croeselaan 18, 3521 CB Utrecht
Postal address: Postbus 17100, 3500 HG Utrecht

You can also contact the Data Protection Authority with complaints about the processing of your data.

About Us

Contact

Privacy Statement

Privacy Statement - January 2026

What does ‘processing personal data’ mean?

When do we receive your personal data?

Which personal data do we process?

For which purpose do we use your personal data?

How long do we store your personal data?

Who has access to your data?

Do we share your personal data with others?

Which rights do you have with regard to your personal data?

Who can you contact with a question or complaint about the processing of your personal data?