GENERAL DATA PROTECTION NOTICE OF DZ BANK

As at: 11.03.2019

This general data protection notice provides information about how your personal data is processed by DZ BANK and your rights as a data subject as per data protection legislation.
The general data protection notice is essentially addressed to all persons affected by data processing who are in contact with us now or will be in the future and thus will or may be subject to the processing of personal data in the future.
This notice is thus aimed in particular at our customers, at those interested in our products or our company, at public authorities and contractors, and in each case at the contact persons or employees and authorised representatives or persons authorised to represent the company, as well as to the beneficial owners of our customers to be disclosed. Furthermore, this notice is also directed at potential co-obligated parties of a loan or third-party guarantors and other data subjects in their environment.
We also ask you to forward this general data protection notice to persons in your organisation or scope of activity whose data you make known to us, but with whom we do not (yet) have direct contact (e.g. employees, future contact persons).



1 Who is responsible for data processing and who can you contact?

Controller:

DZ BANK AG
Deutsche Zentral-Genossenschaftsbank, Frankfurt am Main
(DZ BANK)
Platz der Republik
60325 Frankfurt am Main
telephone: +49 69 7447-01
fax: +49 69 7447-1685
e-mail: mail@dzbank.de

You can contact our
data protection officer at
the same address at the left (DZ BANK AG)

or via
telephone: +49 69 7447-94101
fax: +49 69 427267-0539
e-mail: datenschutz@dzbank.de
 

2 What sources and data does DZ BANK use?

DZ BANK processes personal data from potential customers, customers and all other natural persons who come into contact or are in contact with DZ BANK, e.g. guarantors, authorised representatives, legal guardians, messengers, representatives or employees of legal persons, visitors to our websites and apps and users and applicants who use our websites and apps to create a user account, or who use these services.
We process personal data that we receive from our customers in the context of our business relationship. Whenever it is required in order for us to provide our services, we also process personal data provided to us by other companies or third parties whenever we are permitted to do so (e.g. in order to execute orders, perform contracts or on the basis of your consent). We also process personal data that we are permitted to acquire from publicly accessible sources (e.g. debtors reports, title registers, trading and association registers, the press, the internet, media sources, etc.).
Relevant personal data can include: name, address and other contact information, date and place of birth and nationality, legitimation information (e.g. ID information) and authentication information (e.g. sample of signature). It also includes order data (e.g. payment order, securities order), data related to the fulfilment of our contractual obligations (e.g. revenue data from payments processing, credit limits, product data [e.g. deposits, loans and custody account busi-ness]), information about your financial situation (e.g. credit rating, the source of your assets), documentation data (e.g. records of advice that has been given), register data, data about how you use our telemedia offerings (e.g. the time of accessing websites and apps, and registering for newsletters) and other similar data.
We also process information about which contact partners assigned to us or representatives of companies commissioned by us are responsible for which deals or topics and – if we have received this information – which tasks and decision-making powers the contact partners have. This may include information regarding the extent to which a contact partner is authorised to act on behalf of the company or their general power of attorney and samples of signatures.
The specific data and the manner in which it is processed is selected according to the agreements between you and DZ BANK that have been concluded or requested. For this reason, some parts of this privacy policy may not be relevant in your case.


3 For what purpose does DZ BANK process your data and on what legal grounds?

DZ BANK processes personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and national data protection requirements.
Processing means the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.1 In order to fulfil contractual obligations (Article 6(1b) of the GDPR)
We process your personal data in order to provide and broker banking transactions, financial services and insurance and real estate transactions, particularly in order to perform our contracts with you or to take steps prior to entering into contracts. We also process your personal data in the context of the execution of our orders, as well as for the purpose of activities related to the operation and administration of a credit or financial services institution.
The purpose for which your personal data is processed here is dependent on the specific product in question (e.g. account, credit card, securities, deposits, brokerage). These purposes can include needs assessments, advice, asset management and performing transactions. Additional details regarding the purpose for which your personal data is processed are provided in the relevant contract documents or the terms and conditions of use.
In the event of the services of our service providers being used, data shall be processed to fulfil our contract or to implement pre-contractual measures as well as to commission and execute our orders.
Again, the purpose of the data processing here is primarily determined by the specifically agreed service or service to be agreed.

3.2 For the purpose of legitimate interests (Article 6(1f) of the GDPR)
If required, DZ BANK processes your data beyond the scope of simply performing the contract for the purpose of legitimate interests pursued by us or a third party, except when overridden by your interests in protecting your personal data.
Examples:
• consulting and exchanging information with information providers in order to identify credit and default risks in accordance with national regulations;
• reviewing and optimising the processes we use to analyse your needs and make contact with customers directly, including customer segmentation and calculating the probability of closing;
• marketing or market and opinion research, unless you have stated that your data may not be used for these purposes;
• asserting legal claims and defending against legal disputes;
• guaranteeing the security and functionality of DZ BANK’s IT system;
• preventing and resolving criminal offences;
• building and facility security measures (e.g. access control),
• measures for ensuring that only authorised parties are granted access to data,
• measures related to management and the improvement of services and products,
• risk management within the DZ BANK Group.

3.3 On the basis of your consent (Article 6(1a) of the GDPR)
If you give DZ BANK your consent to process your personal data for specific purposes (e.g. passing on your data within the DZ BANK Group, evaluating payment data for marketing purposes), then this processing is considered lawful on the basis of your consent.

3.4 On the basis of statutory obligations (Article 6(1c) of the GDPR) or in the public interest (Article 6(1e) of the GDPR)
DZ BANK has certain legal obligations which arise directly from legislation and regulatory requirements. The purposes for which we process your personal data include credit checks, checking your identity and age, preventing fraud and money laundering, complying with control and reporting obligations under tax law and evaluating and managing risks within DZ BANK and the DZ BANK Group.


4 Who receives your data?

Your data is only made available within the bank to the extent required in order for us to comply with our contractual and statutory obligations. Contractors which we use (Article 28 of the GDPR) may also receive data for the aforementioned purposes. These include credit agencies, IT service providers, logistics companies, printers, telecommunication providers, collection agencies, consulting agencies and sales and marketing companies.
Whenever the personal data of our customers is provided to recipients outside of the bank, we will ensure that all of the customer-related information and assessments which we become aware of are protected by the general confidentiality terms which have been agreed between us (banking security). We may only disclose information about our customers if this is required by law, if our customers have released us from our banking secrecy obligations pursuant to an agreement or within the scope of a declaration of consent, or if we are authorised to provide banking information. If we are required to do so on the basis of a statutory obligation or an official order, personal data may be provided to the following recipients, among others:
• public bodies and institutions (e.g. Federal Financial Supervisory Authority, European Banking Authority, central banks, financial authorities and criminal prosecutors) operating on the basis of statutory or official obligation;
• Other credit or financial services institutions or similar institutions to which DZ BANK provides your personal data for the purpose of the business relationship with you (these can include companies in the Volksbanken Raiffeisenbanken cooperative financial network, correspondent banks, custodian banks, exchanges and information providers, depending on the contract);
• other companies within the DZ BANK Group or cooperative financial network on the basis of statutory or official obligations for risk management purposes;
Your personal data may also be provided to other recipients if you have given us your consent or you have agreed that we are not subject to banking secrecy obligations and / or if we are authorised to transfer your personal data for the purpose of pursuing a legitimate interest. Under certain circumstances, your data may be provided to additional recipients due to the nature of the contract. These circumstances will be specified in the contract documents or the terms for the transaction in question.


5 Is data transferred to a third country or an international organisation?

Personal data is only transferred to third countries (e.i. non-EU countries) if this is required to execute your orders (e.g. payment and securities orders), required by law (e.g. reporting obligations under tax law), if you have given us your consent to do so or if it is for the purpose of processing an order. If a service provider in a third country is used in the absence of an adequacy decision by the EU, DZ BANK uses guarantees or, for example, EU model clauses in addition to written instructions to ensure that the service provider maintains a European level of data protection.
Within the scope of transferring data to its own foreign branches and representative offices, DZ BANK has ensured its employees working there are committed to the internal instructions and guidelines applicable in Germany and to a level of data protection that corresponds to that at the head office.


6 For how long is your data stored?

DZ BANK processes and stores all necessary personal data for the duration of our business relationship. This includes the periods required to prepare and wind up a contract. Please note that our business relationship, especially to our customers, is likely to last for a number of years.
DZ BANK is also subject to a variety of retention and documentation obligations arising from national commercial and tax legislation, in addition to legal requirements for banking institutions. In Germany, the retention and documentation periods specified in this legislation last up to ten years.
The retention period is ultimately determined on the basis of national statutory limitation periods. Sections 195 et seq. of the German Civil Code, for example, specify a standard limitation period of three years. However, these limitation periods can last up to 30 years in certain circumstances.
The data of contact partners of our customers, service providers or competent government bodies is stored for the duration of the business relationship or responsibility, or until being notified (by the data subject themselves or their successor) of a new contact partner. Any data of contact partners contained in a document subject to retention (e.g. business correspondence, decisions) will be kept for the duration of the applicable retention period.
The contact details of journalists are handled in the same way, i.e. for the duration of the cooperation, which ends by means of termination or appointment of a successor. Such data is also stored for a longer period of time here, provided that the data forms part of documents subject to legal retention periods.
In all cases, the standard retention periods described here may be extended if such data is required to assert, exercise or defend legal claims.


7 What rights do you have as a data subject?

Every data subject has a right of access in accordance with Article 15 of the GDPR, a right to rectification in accordance with Article 16 of the GDPR, a right to erasure (“right to be forgotten”) in accordance with Article 17 of the GDPR, a right to restriction of processing in accordance with Article 18 of the GDPR, a right to data portability in accordance with Article 20 of the GDPR, a right to object in accordance with Article 21 of the GDPR (specific information provided later on in this data protection notice). You also have the right to lodge a complaint with a supervisory data protection authority in accordance with Article 77 of the GDPR.
If you give DZ Bank your consent to process your personal data for specific purposes, you can withdraw your consent for the future at any time. This also applies to any consent given to us by you before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of consent does not affect the lawfulness of processing performed by DZ BANK based on consent before its withdrawal.


8 Are you obliged to provide your data?

You are only required to provide the personal data that is necessary in order to establish, implement and terminate a business relationship. You are also required to provide personal data that we are legally obliged to collect. Without this data, we will not normally be able to conclude the contract or execute your order. We may also be required to terminate an existing contract that we are unable to perform.
DZ BANK is obliged, particularly under anti-money laundering legislation, to identify its customers using valid official photo ID before establishing a business relationship with you. This involves collecting your name, date of birth, nationality, residential address and information about the ID itself, and storing this data. If DZ BANK is not provided with the information and documentation, DZ BANK will not be permitted to continue or establish the requested business rela-tionship.


9 To what extent is your data used for automated decision-making?

We do not use any fully automated decision-making processes in order to establish and implement the business relationship in accordance with Article 22 of the GDPR. Should DZ BANK be legally required to do so, we will inform you if we use these processes in your individual case.


10 Is your data used for profiling?

Some of your data is processed automatically by DZ BANK in order to evaluate specific personal aspects (profiling). Profiling is used, for example, in the following cases:
• We are required to combat money laundering, the financing of terrorism and criminal acts that would endanger assets in accordance with statutory and regulatory requirements. Data (including payments processing data) is analysed for this purpose. These measures also help to keep you safe.
• We use analysis tools so that we can provide you with tailored information about DZ BANK products and advice. These tools enable us to communicate with you in a manner based on your needs and engage in marketing, including market and opinion research.
• We use scoring for the purpose of credit checks. It is used to calculate the probability of a customer meeting their contractual payment obligations. The calculation is based on a number of factors, including your income, expenses, liabilities, occupation, how long you have been employed, prior experience from the business relationship, whether or not previous loans were repaid on time and information from credit agencies. We use an established statistical process for scoring purposes. Scores help us to make decisions and are incorporated into ongoing risk management.


11 Information regarding your right to object under Article 21 of the GDPR

11.1 Right to object on a case-by-case basis
You have the right to object at any time on grounds relating to your particular situation to processing of personal data concerning you which is based on point (e) of Article 6(2) of the GDPR (processing of data in the public interest) and point (f) of Article 6(1) of the GDPR (processing of data based on a legitimate interest), including profiling based on those provisions in the sense of Article 4(4) of the GDPR which we use for credit checks or marketing purposes.
If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is for the purpose of establishment, exercise or defence of legal claims.

11.2 Right to object to processing data for advertising purposes
In some cases, DZ BANK uses your personal data for direct advertising purposes. You have the right to object to your data being processed in this way at any time. This also includes profiling insofar as it relates to such direct advertising.

11.3 Objection
Objections may be made via any of the contact channels detailed above. There are no formal requirements for submitting objections.


12 Updates
We modify and/or update this data protection notice, particularly in response to new technological developments, in response to amended statutory and/or official requirements and organisational changes. These modifications and/or updates are posted on our website at www.dzbank.com/dataprotection. Upon request, we provide our current data protection notices as a file (PDF) or on paper, but we recommend you always refer to our website for the most recent updates. If any changes are made, we will always check if we are required to inform you of them proactively and, should this be the case, we will fulfil our obligation to do so. Otherwise, we will only replace files or printouts with the latest versions if this is something that you have requested.