Data protection

Deutsche Pfandbriefbank AG (hereinafter referred to as “Deutsche Pfandbriefbank AG” or “we”) takes protecting your personal data very seriously. We treat your personal data confidentially and in compliance with statutory data protection provisions – in particular the EU General Data Protection Regulation (“GDPR”) and the German Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) – and in accordance with this privacy policy.

Various types of personal data will be collected when you visit this website. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

1. Controller

Deutsche Pfandbriefbank AG
Parkring 28
85748 Garching, Germany
E-mail: info(at)pfandbriefbank.com 
Represented by the Management Board: Kay Wolf (CEO), Thomas Köntgen (Deputy CEO), Dr Pamela Hoerr, Andreas Schenk, Marcus Schulte

In our capacity as controller within the meaning of the data protection rules, we define the purpose and means of processing personal data, as described in this policy, solely or jointly with others.

2. Contact details of the Data Protection Officer

If you have any data protection-related questions and/or concerns, please contact our Data Protection Officer at:
group.dataprotection(at)pfandbriefbank.com 

3. Purposes and legal bases

3.1 Technical provision of Deutsche Pfandbriefbank AG web pages and Deutsche Pfandbriefbank AG services

For the purpose of providing our web pages, personal data is processed on the basis of overriding legitimate interests pursuant to Art. 6(1) (f) of the GDPR. Our legitimate interests consist of providing digital services that are essential for technical reasons and have been expressly requested, safeguarding the security and the uninterrupted operation of our IT systems as well as asserting, exercising and defending any legal claims.

When you visit our web pages, we will collect pseudonymised connection data (e.g. IP address, referrer URL, target page, time stamp) which is needed to display the relevant web pages, and we will store this data in server log files on the web server.

In some instances, we also store pseudonymized information in your browser (such as cookies or local storage data) if these are required to properly display our web pages or to enable necessary functionalities on our web pages (technically necessary services or cookies).

Data processed during e-mail communication includes any data entered (message content) as well as any connection data (e.g. IP address, mail client, time stamp) and meta data (e.g. size of data transferred), along with any attachments containing personal data. Our IT systems have functionalities that always scan e-mails for undesired content, such as viruses or spam.

If you use one of our contact forms, we will collect the data you enter into the form, in any case, however, the information marked as mandatory. All data transmitted via our web server is encrypted using https (SSL) and then transmitted to us by e-mail. Data processed during e-mail communication includes any data entered (message content) as well as any connection data (e.g. IP address, mail client, time stamp) and meta data (e.g. size of data transferred), along with any attachments containing personal data. Our IT systems have functionalities that always scan e-mails for undesired content, such as viruses or spam.

You are required to provide this data without there being any statutory or contractual obligation to do so. Without providing this information, you will not be able to visit our web pages at all, or only subject to limitations.

3.2 Performance of banking business and provision of financial services

We process personal data to perform banking business and provide financial services within the scope of contracts entered into with our clients, or to initiate contracts following a first request pursuant to Art. 6(1) (b) of the GDPR. The purpose of data processing depends primarily on the type of product (e.g. bank accounts, loans, securities, securities accounts, brokerage) and may relate to needs analyses, advisory services or executing transactions for example. Please refer to the contract documents and our General Business Conditions for specific information regarding the purpose of data processing.
We process personal data that we receive as part of our business relationship with our clients. To the extent required for the provision of our services, we also process personal data which we have lawfully received (e.g. to execute orders, perform contracts or if you have given us your consent) from other entities of the Deutsche Pfandbriefbank AG Group or third parties, such as credit reference agencies. We also process personal data which we have lawfully obtained from public sources (e.g. debtors’ lists, commercial registers, registers of associations, the press, the media or the internet) and which we are permitted to use.

Relevant personal data which an agent/principal (e.g. by power of attorney or as a legal representative, custodian or trustee) or another person under the obligation to repay a loan (e.g. a guarantor) shares upon initial contact or when an initial request is made or when opening an account, includes:

  • Name, address and other contact information
  • Place and date of birth
  • Gender
  • Marital status
  • Nationality
  • Identification data (e.g. details in official ID)
  • Authentication data (e.g. signature sample)

Relevant personal data may also include the following data or data similar to these categories:

  • Order-related data (e.g. payment order, banking details)
  • Personal data derived from the performance of our contractual obligations (e.g. payment data)
  • Information about your financial situation (e.g. creditworthiness, scoring/rating information, origin of assets)
  • Documentation data (e.g. minutes of advisory sessions) 

Additional data we may process:

  • Device information and other unique identifiers
  • Internet or other network activities
  • Payment card information (including credit or debit card number)
  • User content (including your communication with us and other content you provide)

As part of our business relationship, you are required to provide us with the information necessary to establish and conduct a business relationship and to perform any associated contractual obligations, or information we are required to obtain by law. Without this personal data, we will, as a rule, have to decline entering into a contract or executing an order, or cease performing any obligations under an existing contract and to terminate said contract.

More specifically, under the provisions of the German Money Laundering Act (Geldwäschegesetz – “GwG”), we are required to verify your identity based on your identification documents to be able to enter into a business relationship with you. This includes collecting and checking your name, place and date of birth, your nationality, your place of residence and the details in your official ID. You must provide us with the information and documents required under the GwG and inform us immediately about any subsequent changes that may arise over the course of our business relationship, so that we are able to comply with these statutory obligations. We are excluded from entering into or continuing a business relationship with you if you fail to provide us with the required information or documents.

3.3 Client Portal

We will provide you with access to our Client Portal where you can manage your transactions, documents and financings. Your data will be processed for the purpose of performing contractually agreed obligations pursuant to Art. 6(1) (b) of the GDPR. 

In order to enter into a contract, it is essential that you provide your details, otherwise we will not be able to perform our contractually owed services.

3.4 Safeguarding our own and third-party legitimate interests

To the extent required, we will process your personal data beyond the actual performance of the contract where this is necessary to safeguard the legitimate interests of the Bank or third parties in accordance with Art. 6(1) (f) of the GDPR. Examples include:

  • Retrieving and exchanging data with credit reference agencies (e.g. SCHUFA) to determine the credit or default risks of our lending business
  • Auditing and optimising the procedure to perform needs analyses when approaching clients directly
  • Advertising or market and opinion research, as long as you have not objected to your data being used for these purposes
  • Drawing lots
  • Asserting legal claims and defending our position in legal disputes
  • Safeguarding the Bank’s IT security and IT operations
  • Preventing and investigating criminal offences
  • Measures relating to the security of the building, premises and facilities (e.g. access control)
  • Measures relating to the assertion of our right to bar anyone from our premises
  • Measures relating to the management of our business and to the development of products and services
  • (Ongoing) development of IT system components
  • Risk Management of Deutsche Pfandbriefbank AG Group
  • Usage in connection with mandatory or expedient banking regulatory requirements and applications, e.g. for risk management, including risk models

3.5 Processing based on your explicit consent

If you have consented to the processing of your personal data for specific purposes (e.g. exchange of information within the Group, analysis of payment data for marketing purposes), your consent serves as the basis for the lawful processing of your personal data pursuant to Art. 6(1) (a) of the GDPR. 

Consent once given can be revoked at any time. Any revocation of consent will not affect the lawfulness of any processing of personal data performed prior to revocation.

3.6 Compliance with a legal obligation 

In addition, as a bank we are subject to various legal obligations, such as statutory requirements (e.g. the German Banking Act (Kreditwesengesetz – “KWG”), the German Stock Corporation Act (Aktiengesetz – “AktG”), the German Money Laundering Act (Geldwäschegesetz – “GwG”), the German Securities Trading Act (Wertpapierhandelsgesetz – “WpHG”), tax laws) as well as banking regulatory requirements (e.g. those of the European Central Bank, the European Banking Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority). 

The purposes for which data processing is performed includes assessments of credit quality, the verification of identity and age, the prevention of fraud and money laundering, compliance with tax auditing, reporting and documentation requirements, the identification of corporate bodies and committees along with related conflicts of interest, and the evaluation and management of risks at Bank and Group level. Data processing is performed pursuant to Art. 6(1) (c) of the GDPR to comply with these legal obligations. 

3.7 Deutsche Pfandbriefbank and social media

The processed data is carried out for the purpose of providing our fan pages in social networks (corporate pages) and for marketing purposes on the basis of an overriding legitimate interest pursuant to Art. 6(1) (f) of the GDPR. Our legitimate interests consist of supporting the relevant social media platforms, presenting our business and performing marketing activities. 
If you visit our corporate pages on any of the following social media platforms are concerned, we will define the purposes and means jointly with the platform operators. In this regard, we act as joint controllers within the meaning of Art. 26 of the GDPR.

You are not required to provide us with this information, neither by law nor by contractual agreement. The use of social networks is independent from the provision of your data. However, it is not possible to contact us or visit our profile without the operator of the social network providing us with this data.

3.7.1 LinkedIn

If you visit our profile on the "LinkedIn" social network as a logged-in user, if you follow us or engage with us by message, comment, etc., LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn") will process your personal data to provide us with aggregated information ("page insights"). We will not receive any information that would allow us to identify the behavioural patterns of an individual user.

We and LinkedIn are jointly responsible for the processing of personal data for the purpose of providing Page Insights in accordance with Art. 26 GDPR. For more information about how we as joint controllers process your personal data, follow this external link to LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum

If you, as a logged-in user, engage with our profile or post’s we share by reading, following, commenting, etc., or if we visit your profile, LinkedIn will process your information as an independent controller (social network operator) and share with us any and all information required for the operation of the social network as per LinkedIn's terms of use.
In this case, we will collect user data (e.g. name, location), professional data (e.g. occupation, position, qualifications) as well as communication data (e.g. message contents) directly from you and/or through your use of the LinkedIn social network.

For further information on how LinkedIn processes your personal data, please follow this external link: https://de.linkedin.com/legal/privacy-policy 

Your data may also be transmitted to the LinkedIn parent entity, i.e. the Microsoft Corporation based in the United States. The transmission of personal data to Microsoft is based on the adequacy decision (Data Privacy Framework).

3.7.2 XING

If you are a logged-in user and visit our profile in the social network XING, follow us or engage with us through messages or by commenting, etc., or if we visit your profile, then New Work SE, Am Strandkai 1, 20457 Hamburg, Germany ("XING") will process your information as an independent controller (social network operator) and share with us any and all information required for the operation of the social network as per XING's terms of use.

In this case, we will collect user data (e.g. name, location), professional data (e.g. occupation, position, qualifications) as well as communication data (e.g. message contents) directly from you and/or through your use of the XING social network.
For further information on how XING processes your personal data, please follow this external link: https://privacy.xing.com/en/privacy-policy 

3.8 Requests via e-mail, contact form or phone

If you make requests by e-mail or phone, we will store your details to process the request and any follow-up questions. We will not pass this data on without your consent. This data is processed on the basis of Art. 6(1) (b) of the GDPR if your request is related to the performance of a contract or if processing is required in order to take steps prior to entering into a contract. In all other cases, processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6(1) (f) of the GDPR) or on your consent (Art. 6(1) (a) of the GDPR) if you have given it. Your consent can be revoked at any time.

We will retain the data that we collect from you until you ask us to erase it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

You are not required to provide us with your personal data when contacting us, neither by law nor by contractual agreement. However, we will be unable to process your request if you fail to provide us with specific personal details (mandatory fields), i.e. contacting us is not possible if you do not provide these details.

3.9 Your job application

Processing personal data for the purpose of handling job applications is performed for the purpose of hiring decisions or, after hiring, for performing the employment contract pursuant to section 26 (1) of BDSG.

In the event that an application is rejected, personal data may be processed due to overriding legitimate interests in accordance with Art. 6(1) (f) of the GDPR. Our legitimate interest is to assert, exercise and defend any legal claims.

Should you submit an unsolicited application or if your application is rejected and you expressly consent to us retaining your personal data for future consideration, your personal data will be processed on the basis of your consent pursuant to Art. 6(1) (a) of the GDPR. Pursuant to Art. 7(3) of the GDPR, you are entitled to revoke your consent to the processing of your personal data at any time. The lawfulness of processing pursuant to Art. 6(1) (a) of the GDPR or Art. 9(2) (a) of the GDPR based on your consent will remain unaffected until you revoke your consent. 

If you apply for a job with us, we will collect all the personal data you provide in connection with your application. You can submit an unsolicited application or an application in response to a job advertisement we publish. We will then process your personal data during the application proceedings with a view to inviting you to a personal meeting and to make our hiring decision. If you use one of our contact forms when you apply for a job, we will collect the data you enter.

If we are unable to make you a job offer, if you reject a job offer or if you withdraw your application, we reserve the right to retain the data you transmitted on the basis of our legitimate interests (Art. 6(1) (f) of the GDPR) for up to 6 months from the end of the application proceedings (rejection of an offer or withdrawal of the application). Your personal data will then be deleted, and any physical application documents will be destroyed. The personal data retained may serve, in particular, as proof in the event of a legal dispute. If it is apparent that your personal data will still be needed after expiry of the 6-month period (e.g. due to an imminent or pending legal dispute), your personal data will only be deleted if the purpose for retention no longer applies.

Data may also be retained for a longer period if you have consented to that (Art. 6(1) (a) of the GDPR) or if statutory retention obligations preclude the deletion of such data.

3.10 Exercising your rights as a data subject

Data is processed for the purpose of safeguarding the data subject's rights in compliance with legal obligations pursuant to Art. 6(1) (c) of the GDPR and due to overriding legitimate interests pursuant to Art. 6(1) (f) of the GDPR. Our legitimate interest is to assert, exercise and defend any legal claims. 

If you contact us to exercise your rights as a data subject, we will collect all personal data you provide within the scope of such a request. We may also obtain such data from third parties if you have mandated someone to assert your rights on your behalf (agent, lawyer, custodian) or if you have contacted other bodies or officials (such as the Data Protection Officer) beforehand.
We process this data to verify your identity, review the applicability of the respective rights, safeguard your rights and to communicate with you.

You are not obligated to provide us with your personal data, neither by law nor by contractual agreement. However, we will be unable to process your request, or only to a limited extent, if you fail to provide us with specific information that allows us to verify your identity or to safeguard your rights.

4. Sharing personal data

At Deutsche Pfandbriefbank AG, personal data will only be shared with those persons who are responsible for processing such data. This includes administrators and client relationship managers.
We outsource certain activities to contracted service providers as processors pursuant to Art. 28 of the GDPR. We carefully select, contractually commit and regularly review these service providers.
In specific cases, we share personal data with third parties (e.g. legal advisers, auditors, the Data Protection Officer, authorities, courts and our affiliated companies) to the extent required for processing and legally permissible.

When sharing data with recipients outside our Bank, we as a bank are, first and foremost, required to treat all client-related facts and analyses we are aware of confidentially (banking secrecy as stipulated in section 2 of our General Business Conditions). We are only allowed to pass on your personal information if we are legally bound to do so, if you have given your consent or if we are authorised to prepare a status report or transmit other information.

Under these circumstances, recipients of personal data may include:

  • public offices and institutions (e.g. Deutsche Bundesbank, the German Federal Financial Supervisory Authority, the EU banking supervisory authorities, the European Central Bank, tax authorities, investigative or law enforcement authorities) to the extent that a statutory or regulatory obligation exists;
  • other lending or financial services institutions or comparable entities to whom we transmit your personal data in order to conduct our business relationship with you (depending on the particular contract, e.g. correspondent banks, custodian banks, exchanges, credit reference agencies);
  • service providers that we use for order processing; or
  • other Group entities for the purpose of risk management activities in accordance with statutory or regulatory requirements.
    Personal data will only be transmitted to recipients in third countries outside the EU/EEA or to international organisations to the extent that this is required for processing and legally permissible. In these cases, your personal data will be transmitted on the basis of an EU adequacy decision or, if this doesn’t exist, based on the standard contractual clauses agreed or binding internal data protection regulations. To the extent that no such safeguards exist, data transfers to third countries outside the EU/EEA are based on a derogation under Art. 49(1) of the GDPR (explicit consent; performance of a contract, e.g. where required to process your order (payment or securities orders); assertion, exercise or defence of legal claims).

5. Automated decision-making processes

To establish and conduct a business relationship, we generally do not use a fully automated decision-making process within the meaning of Art. 22 of the GDPR. Whenever we do use such a process in individual cases, we will notify you separately and inform you about your rights, provided we are legally bound to do so.

6. Profiling

Some of the personal data we process is processed automatically, with the aim of factoring in certain personal aspects (profiling). We perform profiling in the following instances:

  • Due to legal requirements, we have a duty to prevent money laundering and fraud. As part of this process, we analyse data (e.g. payments). These measures also serve to protect you.
  • We use a scoring process when assessing your creditworthiness. This also entails calculating the probability as to whether a client can, or cannot, comply with their payment obligations as contractually required. This calculation considers factors such as the client's income situation, expenses, existing debt, occupation, length of employment, track record of earlier business relationships, previous loans serviced as agreed upon, as well as information obtained from credit reference agencies. The scoring system is based on a mathematically and statistically accepted procedure. The resulting scores help us make business decisions and are included in our ongoing risk management process.

7. Storage periods

To ensure compliance with the principle of storage limitation pursuant to Art. 5(1) (e) of the GDPR, we store personal data in a form which permits identification of data subjects for no longer than is necessary for the respective lawful purposes.

Server log files are stored for 7 days, depending on the IT system, and then deleted automatically.

Personal data to be stored under commercial or tax law provisions as set out in section 147 of the German Fiscal Code (Abgabenordnung – “AO”) and section 257 of the German Commercial Code (Handelsgesetzbuch – “HGB”) will not be deleted before the statutory periods of 6 or 10 years respectively have passed. Personal data may be stored for longer periods in order to assert, exercise or defend legal claims, e.g. in the event of pending tax, audit or administrative proceedings.

We will store the relevant documents for 2 to 10 years to comply with statutory obligations under the KWG, the GwG and the WpHG.

Any personal data that we process to assert, exercise or defend legal claims is usually deleted after 3 years (standard limitation period pursuant to section 195 of the German Civil Code – “BGB”). In some cases (e.g. claims for damages) section 199 of the BGB stipulates a limitation period of 10 years or 30 years from the time the claim arises, with the maximum storage period being 30 years from the date of the event that caused the damage.

Where data is processed to safeguard the legitimate interests of the Bank or a third party, your personal data will be deleted as soon as such legitimate interest no longer overrides your interests or fundamental rights that require the protection of your personal data.

As soon as you revoke your consent to data processing for the future, your personal data will be deleted, provided none of the above exceptions applies.

8. Your rights as a data subject

8.1 Right of access

Subject to the provisions stipulated in Art. 15 of the GDPR, you have the right to obtain confirmation from us as to whether or not we process personal data concerning you. In this case,, you have a right of information in accordance with to Art. 15(1) of the GDPR, including access to a copy of your personal data pursuant to Art. 15(3) of the GDPR, provided that this does not adversely affect the rights and freedoms of others. This includes trade secrets, intellectual property rights and copyrights.

Pursuant to section 34 of the BDSG, the right of access may be restricted or refused. In such a case, we will inform you about the reasons for the refusal.

8.2 Right to rectification

Subject to the provisions stipulated in Art. 16 of the GDPR, you have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you and, taking into account the purpose of processing, the right to have incomplete personal data completed.

Unless this proves impossible or would involve a disproportionate effort, we communicate the rectification to all recipients to whom we have disclosed your personal data. You are entitled to be informed about these recipients as per Art. 19 sentence 2 of the GDPR.

8.3 Right to erasure

Subject to the provisions stipulated in Art. 17 of the GDPR, you have the right to request that we erase personal data concerning you without undue delay. We have the obligation to erase your data if one of the grounds set out in Art. 17(1) of the GDPR applies.

Where we have made your personal data public and are required to erase such data, we will take “reasonable steps” pursuant to Art. 17(2) of the GDPR to inform other controllers, in the event that you have requested the erasure of any links to, or copy or replication of, this personal data.

Unless this proves impossible or would involve a disproportionate effort, we communicate the deletion to all recipients to whom we have disclosed your personal data. You are entitled to be informed about these recipients as per Art. 19 sentence 2 of the GDPR.

Pursuant to Art. 17(3) of the GDPR, the right to erasure does not apply to the extent that processing is necessary for the reasons mentioned in this provision. This applies, in particular, if statutory retention obligations continue to require the storage of your data (Art. 17(3) (b) of the GDPR) or if your data is necessary to assert, exercise or defend legal claims (Art. 17(3) (e) of the GDPR).
Pursuant to section 35 (3) of the BDSG, the right to erasure also does not apply if erasure of your data would conflict with retention periods set by statute or contract. The right to erasure may also be restricted as per section 35 (1) of the BDSG, in which case the processing of your data will be restricted pursuant to Art. 18 of the GDPR.

8.4 Right to restriction of processing

Subject to the provisions stipulated in Art. 18 of the GDPR, you have the right to request that we restrict processing if one of the requirements set out therein applies.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing of your data has been restricted, Art. 18(2) of the GDPR stipulates that your data will continue to be stored but only be processed if you consent, or to assert, exercise or defend legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Where processing of your data has been restricted, you will be notified before the restriction is lifted. Unless this proves impossible or would involve a disproportionate effort, we communicate the restriction to all recipients to whom we have disclosed your personal data. You are entitled to be informed about these recipients as per Art. 19 sentence 2 of the GDPR.

8.5 Right to data portability

Subject to the provisions stipulated in Art. 20 of the GDPR, you have the right to receive any personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us, provided that processing is based on your consent pursuant to Art. 6(1) (a) of the GDPR or a contract pursuant to Art. 6(1) (b) of the GDPR and provided that the rights and freedoms of other natural persons are not adversely affected.

8.6 Right to object

Subject to the provisions stipulated in Art. 21 of the GDPR, you have the right to object to processing of your personal data at any time, on grounds relating to your particular situation, provided processing is based on our legitimate interest pursuant to Art. 6(1) (f) of the GDPR.

The right to object pursuant to Art. 21(1) of the GDPR does not apply if we can demonstrate legitimate grounds which override your interests, rights and freedoms, or where processing serves to assert, exercise or defend legal claims.

Irrespective of this, you have the right to object to the processing of your data for the purpose of direct marketing, including profiling related to such direct marketing, at any time pursuant to Art. 21(2) of the GDPR. In this case, we will no longer process your data for the purpose of direct marketing.

8.7 Withdrawal of consent

Should processing of your personal data be based on your consent pursuant to Art. 6(1) (a) of the GDPR, you have the right to withdraw your consent at any time with future effect pursuant to Art. 7(3) of the GDPR.

8.8 Automated decision-making pursuant to Art. 22 of the GDPR

Pursuant to Art. 22(1) of the GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – if this would have a legal effect on you or would significantly affect you in a similar manner.

Whenever we do use such a process in individual cases, we will notify you separately and inform you about your rights, provided we are legally bound to do so.

8.9 Right to lodge a complaint pursuant to Art. 77 of the GDPR

Without prejudice to any other administrative or judicial remedy, pursuant to Art. 77 of the GDPR you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. You can contact any supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, including the supervisory authority that has jurisdiction for us.

Bavarian Data Protection Agency (Bayerisches Landesamt für Datenschutzaufsicht – “BayLDA”)

Street address
Promenade 18
91522 Ansbach
Germany

Mailing address
PO Box 1349
91504 Ansbach
Germany

Availability
Phone: +49 (0) 981 180093-0
Facsimile: +49 (0) 981 180093-800
E-mail: poststelle(at)lda.bayern.de 

8.10 Supplementary information about data subject rights for users of the US Client Portal - US FLAG

We are providing this supplementary information for individuals residing in the United States, pursuant to the legislation applicable in your state.

8.10.1 Access, deletion and do-not-sell requests

We grant the following additional rights regarding collection, use, disclosure or sale (if applicable) of personal data where required by applicable law (e.g. for California residents and residents of other US federal states) or where we deem this appropriate for other reasons, especially when related to our US Client Portal:

  • You may request a copy of the following information: (i) the categories of personal data that we have collected about you during (at least) the past 12 months; (ii) the categories of sources from which your personal data has been obtained; (iii) the business or commercial purpose for collecting or selling (if applicable) your personal data; (iv) the categories of third parties with whom we have exchanged your personal data during (at least) the past 12 months; and (v) the specific parts of your personal data that we have collected, used, shared or sold.
  • You may request that we (and our service providers) delete your personal data. Please note that deletion requests are subject to various restrictions. For example, we may retain personal data within the parameters of statutory provisions, e.g. for tax purposes or when such data otherwise serves as proof, to maintain an active account, to process transactions and client requests, and for any other internal business purposes described in this privacy policy.
  • You may request that we do not sell your personal data. We do not sell our clients’ personal data in the traditional sense of “selling”. However, some US states interpret “selling” very broadly insofar as “selling” also includes sharing personal data with third parties in exchange for something valuable, even if no money changes hands. For example, sharing marketing or device identifiers with third parties may be defined as a “sale” in accordance with the laws of some US states.  Please contact us at https://www.pfandbriefbank.com/en/contact if you wish us to refrain from such sharing.
  • Any of these requests can be made via our web form, by telephone on +1-8333808777 or by e-mail to info(at)pfandbriefbank.com. You may also authorise someone else to make a request on your behalf. We will contact you (usually by e-mail) shortly after receiving your request, informing you how you can check the submitted request before we process it. Please note that besides making data protection requests as described in this policy, you can also reject our use of third-party marketing technologies on your device by individualising the settings of your internet browser and/or device (as outlined in this privacy policy).

We will process these requests at our reasonable discretion and in line with applicable laws.


8.10.2 California “Shine the Light” disclosure

Pursuant to California state law, certain businesses are required to answer requests by California users who enquire about business practices relating to the disclosure of personal data to third parties for their own marketing purposes. California's “Shine the Light” law also requires us to give California residents the opportunity to refuse disclosure of specific personal data to third parties for the third parties’ own direct marketing purposes. We do not use your personal data for direct marketing purposes. 

8.10.3 California “Do not Track” notice

Our US Client Portal does not use tracking technologies. 

8.10.4 Other disclosure obligations under California law

We do not offer our clients any financial incentives or differences in pricing or service in exchange for the storage or sale of their personal data. We may send advertisements and other offers to individuals who subscribe to our marketing communications. Unless you have communicated your wish not to receive any such communications, you will continue to receive these communications, irrespective of whether you have made a disclosure, deletion or “do-not-sell” request. We do not offer financial incentives to prevent clients from making such requests.
We do not discriminate against clients who exercise their data protection rights.

Should you have questions regarding our data protection practices, also associated with the California Consumer Privacy Act, please contact us as described above.

8.10.5 Nevada disclosure

We hereby inform Nevada residents that we do not sell personal data within the meaning of Nevada's law. Affected users can make a request via the request channels described above. 

9. Protection of personal data

We have implemented an extensive information security programme containing technical and organisational measures to safeguard and protect your data. In particular, we have implemented the following security measures to protect your data from unauthorised access, release, use or modification:

  • Encryption of personal data
    • You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the padlock symbol in your browser’s address bar. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
    • Storing key information such as passwords after their encryption
  • Countermeasures in response to hacker attacks
  • reparation and implementation of the internal security management plan
  • Installation and operation of an access control system
  • Measures to prevent access data from being falsified or altered

However, due to constantly evolving technology and other factors beyond our control, we cannot guarantee that communication between you and our servers will not be compromised by unauthorised third-party access and that we are not affected by security breaches.

This privacy information is valid with effect from 20/06/2024 and replaces all previous versions.