DATA PROTECTION NOTICE: RECORDING CALLS
As at: 11.03.2019
This data protection notice aims to clarify who is responsible for recording your telephone calls, when we may record calls and for what purpose, and what rights you have as a data subject.
1 Who is responsible for data processing and who can you contact?
DZ BANK AG
Deutsche Zentral-Genossenschaftsbank, Frankfurt am Main
Platz der Republik
60325 Frankfurt am Main
telephone: +49 69 7447-01
fax: +49 69 7447-1685
You can contact our
data protection officer at
the same address at the right(DZ BANK AG)
telephone: +49 69 7447-94101
fax: +49 69 427267-0539
2 What sources and data does DZ BANK use?
When a call is recorded, DZ BANK processes technical data that it has generated from the telephone system or which has been provided by the telephone company (phone numbers, call start time and duration) in addition to the speech content itself. In the case of incoming calls, our staff also normally record the caller's name and what they are calling about.
3 For what purpose does DZ BANK process your data and on what legal grounds?
Depending on national legislation, some calls must be recorded, such as those in connection with securities transactions. These are then formally recorded and stored to meet statutory obligations under Art. 6 para. 1 c GDPR.
Whether a telephone call must be recorded under national and/or different statutory rules depends on the country from which you are calling one of DZ BANK's offices or branches. When calling our trading departments, you should normally assume that, for legal reasons, calls are being recorded on a regular basis.
A record of the call is still made even when there exists no requirement to do so under national law. This is subject to your consent, which we request at the start of each call (in accordance with Art. 6 para. 1 a GDPR). For example, this is the case with customer support calls, which we record in order to be able to provide evidence that we did not give any investment advice or incorrect information. We also use recording in individual cases to improve the quality of our customer service and for training purposes (coaching) with our staff.
If we do not record a call because we did not receive your consent, we are permitted to make a written record (telephone memos). This is also a case in which we process personal data. We do this so that we can handle your requests in a more systematic manner and so we do not need to repeatedly ask for the information we need each time you call. If you do not offer consent for your call to be recorded, these written records also serve as evidence that we did not offer any investment advice or incorrect information. The legal basis of our legitimate interest here is formally provided by Art. 6 para. 1 f GDPR.
In emergencies and threat situations, recordings may be made to help verify events. In light of the exceptional circumstances, no consent is necessary to make such recordings: Our duty to avert possibly life-threatening situations (Art. 6 para. 1 d GDRP) or a legitimate interest under Art. 6 para. 1 f GDPR serve as the legal basis.
Technical data that has been recorded (particularly time, call number) and/or names that have been noted and the caller's keyword subjects are used to save, file and/or trace recordings. We do this even when there is no legal obligation to store such data. Our legal basis for this is our so called legitimate interest as stipulated under Art. 6 para. 1 f GDPR within the scope of handling incoming calls efficiently and effectively.
4 Who receives your data?
Within the bank, those departments that need your data for processing purposes have access to it. If recordings are made for legal purposes, government departments and the appropriate regulatory offices in particular can access them in the course of a search request, but only insofar as their respective national legislation allows.
In the event of a legal dispute, we hand the recordings over to lawyers and courts insofar as the law compels us to do so or we have a position in law to represent. We also disclose data from emergencies and threat situations, if this is required by the investigating authorities.
For the operation of our telephone systems, we engage service providers who work strictly in accordance with our instructions, we define a normal level of data protection for a bank which they must meet (contract processors). These service providers process your data only for the purposes we specify (in this case, operating a telephone system, storing data).
5 For how long is your data stored?
The storage Period for the data depends on which country you are calling from and its respective national legislation.
German law requires calls to be recorded if they are made in connection with securities products. Data from these calls must be stored for up to 7 or 10 years under § 83 para. 8 WpHG and § 147 AO. Insofar as there is no statutory storage period for recordings, the length of time for which they are stored is guided by statutory limitation periods (generally three years in Germany). Data from emergencies and threat situations is stored until it is handed over to the investigating authorities, or for the duration of the relevant limitation periods.
6 What rights do you have as a data subject?
Every data subject has a right of access in accordance with Article 15 of the GDPR, a right to rectification in accordance with Article 16 of the GDPR, a right to erasure (“right to be forgotten”) in accordance with Article 17 of the GDPR, a right to restriction of processing in accordance with Article 18 of the GDPR, a right to data portability in accordance with Article 20 of the GDPR, a right to object in accordance with Article 21 of the GDPR (specific information provided later on in this data protection notice). You also have the right to lodge a complaint with a supervisory data protection authority in accordance with Article 77 of the GDPR.
If you give DZ BANK your consent to process your personal data for specific purposes, you can withdraw your consent for the future at any time. This also applies to any consent given to us by you before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of consent does not affect the lawfulness of processing performed by DZ BANK based on consent before its withdrawal.
7 Are you obliged to provide your data?
It is only possible to avoid a call being recorded by using an alternative means of communication (such as the written form).
Whenever we record calls in our own interest, we ask for your consent. If you request for your call to not be recorded, we will comply with this request. In such a case, instead of carrying out an audio recording, we will record the call manually by means of written notation.
8 Information regarding your right to object under Article 21 of the GDPR
8.1 Right to object on a case-by-case basis
You have the right to object at any time on grounds relating to your particular situation to processing of personal data concerning you which is based on point (e) of Article 6(2) of the GDPR (processing of data in the public interest) and point (f) of Article 6(1) of the GDPR (processing of data based on a legitimate interest), including profiling based on those provisions in the sense of Article 4(4) of the GDPR which we use for credit checks or marketing purposes.
If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is for the purpose of establishment, exercise or defence of legal claims.
8.2 Right to object to processing data for advertising purposes
In some cases, DZ BANK uses your personal data for direct advertising purposes. You have the right to object to your data being processed in this way at any time. This also includes profiling insofar as it relates to such direct advertising.
Objections may be made via any of the contact channels detailed above. There are no formal requirements for submitting objections.
We modify and/or update this data protection notice, particularly in response to new technological developments, in response to amended statutory and/or official requirements and organisational changes. These modifications and/or updates are posted on our website at www.dzbank.com/dataprotection. We provide our current data protection notes as a file (PDF) or on paper, but we recommend that you always refer to our website for the most recent updates. If any changes are made, we will always check if we are required to inform you of them proactively and, should this be the case, we will fulfil our obligation to do so. Otherwise, we will only replace files or printouts with the latest versions if this is something that you have requested.