Data protection information for 'natural persons' under the EU General Data Protection Regulation

We're providing this information to give you an overview of how we process your personal data and your rights under the General Data Protection Regulation (GDPR). The particular products and services you've ordered or arranged are generally what determines how and what personal data will be processed and used in each individual case.

Please pass this information along to any current or future personal representatives (e.g. those with power of attorney, legal representative, guardian, custodian) and beneficial owners, as well as anyone who shares liability to repay a loan. This also includes beneficiaries under a will, authorised officers or guarantors.

1. Who is responsible for data processing and whom should I contact?

The data controller is:

Deutsche Pfandbriefbank AG
Parkring 28
85748 Garching, Germany

Telephone: +49 89 2880 0
Fax: +49 89 288010319
E-mail:       info(at)pfandbriefbank.com
Website:    www.pfandbriefbank.com

You can contact our corporate Data Protection Officer at:

Deutsche Pfandbriefbank AG
Data Protection Officer
Parkring 28
85748 Garching, Germany

Telephone: +49 89 2880 0
Fax: +49 89 2880 10319
E-mail:        group.dataprotection(at)pfandbriefbank.com

2. What type of sources and data do we use?

We process personal data that we receive from our clients as part of our business relationship with them. Where necessary to provide our services, we also process personal data that we have received lawfully (e.g. to execute orders, fulfil contracts or where you have provided us with consent) from other Deutsche Pfandbriefbank AG Group companies and third parties (e.g. credit agencies). Additionally, we process personal data that we have lawfully obtained from public sources (e.g. debtors' list, land register, register of companies or associations, press, media, internet) and are permitted to use.

Relevant personal data given in the context of an initial contact or enquiry, account opening, representative/power of attorney (e.g. account authorisation, legal representative, guardian, custodian) or a person who has liability to repay a loan (e.g. guarantor) can include personal information (name, address and other contact details, place/date of birth, gender, marital status and nationality), identification data (e.g. official ID data) and authentication data (e.g. specimen signature). It may also include order-related data (e.g. payment order, bank account), personal data resulting from us fulfilling a contractual obligation (e.g. payment turnover data), information concerning your financial situation (e.g. creditworthiness, scoring/rating information, source of assets), marketing and sales data including marketing scores, documentation data (e.g. advisory records) as well as other data similar to the categories mentioned.

3. Why do we process your data (processing purpose) and on what legal basis?

We process personal data in accordance with the provisions set out in the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) including applicable supplementary data protection regulations:

a.    to perform contractual obligations (article 6(1)(b) GDPR):

Personal data is processed to execute banking transactions and provide financial services under the contracts we have with our clients or to make pre-contractual arrangements after an initial inquiry has been made. The purposes of the data processing have to do first and foremost with the specific kind of product (e.g. accounts, credits, securities, deposits, brokerage) and may include things like needs analyses, advisory services or executing transactions. Specific details about the purpose of the data processing can be found in the relevant contractual documentation and General Terms and Conditions of Business.

b.    to determine the balance of interests (article 6(1)(f) GDPR):

Where necessary, the extent to which we process your personal data extends beyond the actual performance of a contract in pursuance of the legitimate interest of the Bank or a third party.

Examples:

• Consulting and exchanging data with reporting agencies (e.g. SCHUFA) to determine creditworthiness or default risks in our lending business.
• Testing and optimising the process for conducting a needs analysis for the purposes of direct contact with clients;
• Advertising or market and opinion research as long as you have not objected to your data being used;
• Conducting raffles;
• Enforcing legal rights and defending our position in legal disputes;
• Ensuring IT security and operations for the Bank;
• Preventing and investigating offences;
• Measures relating to building and premises security (e.g. access control);
• Measures relating to asserting our right to exclude people from our premises;
• Measures relating to managing our business and developing products and services;
• New and further development of IT system components
• Risk management for Deutsche Pfandbriefbank AG Group;
• Use within necessary or useful banking supervision requirements or services, such as risk management, including use in risk models;

The processing for business purposes in social networks is necessary for the purposes of overriding legitimate interests as per Article 6 (1) f of the GDPR. Our legitimate interests are the public representation of our company and networking with partners, employees and interested parties for business purposes. In the case of raffles hosted by us, the analysis of reactions and/or comments as well as any subsequent communications serve the legitimate interests of conducting the raffles and notifying the winner(s).

Activity on LinkedIn:

• If you visit our profile on the "LinkedIn" social network as a logged-in user, and if you follow us or engage with us through a message, comment or anything else, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn") will be processing personal data to provide us with aggregate information ("page insights"). We will not receive any information that would allow us to identify the behaviour of an individual user.
• As regards processing of personal data for the purposes of the provision of page insights, we and LinkedIn are joint controllers under Article 26 of the GDPR. LinkedIn ensures that the collection of user data is compliant with legal requirements, the data in the social network is stored with adequate security, and the requirements of data protection law are satisfied. You can assert your rights directly vis-à-vis LinkedIn, but you also have rights vis-à-vis us. For more information about how we as joint controllers process your personal data, follow this external link to LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum.
• If you are a logged-in user and engage with the profile or posts we share by reading, following, commenting or whatever else, or if we visit your profile, LinkedIn will process your information as an independent controller (social network operator) and share with us any and all information required for the operation of the social network as per LinkedIn's terms of use.
• In this case, we will collect user data (e.g. name and location), qualification data (e.g. profession, position, education), communication data (e.g. message contents) directly from you and/or through your use of the LinkedIn social network.
• For further information about how LinkedIn processes your personal data, please follow this external link: https://www.linkedin.com/legal/privacy-policy.
• You are not required to provide us with this information, either by law or by contractual agreement. Usage of the LinkedIn social network is independent from the provision of your data; however, it is not possible to contact us or visit our profile without LinkedIn providing us with this data.

Activity on XING:

• If you are a logged-in user and visit our profile in the social network XING, follow us or engage with us through messages or by commenting, or if we visit your profile, then New Work SE, Am Strandkai 1, 20457 Hamburg, Germany ("XING") will process your information as an independent controller (social network operator) and share with us any and all information required for the operation of the social network as per XING's terms of use.
• In this case, we will collect user data (e.g. name and location), qualification data (e.g. profession, position, education), communication data (e.g. message contents) directly from you and/or through your use of the XING social network.
• For further information about how XING processes your personal data, please follow this external link: https://privacy.xing.com/en/privacy-policy.
• You are not required to provide us with this information, either by law or by contractual agreement. Usage of the XING social network is independent from the provision of your data; however, it is not possible to contact us or visit our profile without XING providing us with this data.

c.    where you have given consent (article 6(1)(a) GDPR):

Where you have consented to your personal data being processed for specific purposes (e.g. sharing information within the Group, analysing payment data for marketing purposes), the consent serves as the basis for lawfully processing your personal data. Consent may be revoked at any time once given. This also applies to withdrawing consent given before the GDPR came into force, i.e. before 25 May 2018. Withdrawing consent does not affect the lawfulness of personal data processing that occurred prior to the withdrawal.

d.    for compliance with a legal requirement (article 6(1)(c) GDPR) or in pursuit of the public interest (article 6(1)(e) GDPR):

In addition, as a bank we are subject to various different legal obligations, such as statutory requirements (e.g. the Banking Act (Kreditwesengesetz), German Stock Corporation Act (Aktiengesetz, AktG), Money Laundering Act (Geldwäschegesetz), Securities Trading Act (Wertpapierhandelsgesetz), tax laws) as well as banking regulatory requirements (e.g. those set out by the European Central Bank, the European Banking Authority, the German Bundesbank and the German Federal Financial Services Supervisory Authority). Purposes of data processing include things such as assessing creditworthiness, checking identity and age, preventing fraud and money laundering, complying with tax auditing, reporting and documentation requirements, the identification of governing Bodies and related conflicts of interest and evaluating and managing risks in the Bank and the Group.

 

4.    Who receives my data?

The parties that have access to your personal data within the Bank are those that need access so they can perform the Bank's contractual and legal obligations and pursue the legitimate interests of the Bank or of a third party. Our service providers and vicarious agents can also receive personal data for these purposes as long as they maintain banking confidentiality and our written data protection directions, or are subject to a duty of confidentiality for legal, contractual and/or professional conduct reasons. This generally concerns companies involved in financial services, IT, logistics, printing, telecommunications, debt collection, advisory services, marketing and sales.

In terms of transferring data to recipients outside of our Bank, we as a bank are first and foremost required to keep confidential all client-related facts and analyses of which we are aware (banking confidentiality as set out in clause 2 of our General Terms and Conditions of Business). We can only share information about you where there is a legal requirement to do so, where we have your consent, where we are authorised to issue a status report or provide other information.

In these circumstances, the recipients of personal data can include, for example:

-    public bodies and institutions (e.g. the German Bundesbank, the Federal Financial Supervisory Authority, European banking supervisory authorities, the European Central Bank, tax authorities, criminal investigative and prosecutorial authorities) where a statutory or regulatory requirement to do so applies;

-    other lending or financial services institutions or similar entities to whom we transfer personal data to conduct our business relationship with you (according to the particular contract, e.g. correspondent banks, custodian banks, exchanges, credit agencies);

-    Service providers we use to process orders;

-    other Group companies to manage risk in accordance with legal or regulatory requirements.

Other recipients include parties with whom you have authorised us to share your data or where you have waived banking confidentiality by way of an agreement or consent. 

5.    Is data transferred to any third-party country or an international organisation?

Data is transferred to parties or states outside the European Union ('third party countries'), where (i) doing so is necessary to execute your order (e.g. payment or securities orders), (ii) doing so is required by law (e.g. tax reporting requirements), (iii) you have provided consent or (iv) there are legitimate interests under data protection law and the affected party has no overriding legitimate interests.

6.    How long is my personal data stored?

We process and save your personal data as long as we need to in order to fulfil our contractual and statutory obligations. Bear in mind that our business relationship is a continuing obligation with a long-term timeline.

If the personal data is no longer required to perform contractual or legal obligations, it is deleted on a regular basis unless further, time-limited, processing is required for the following purposes:

-    To comply with civil or taxation record keeping obligations, this includes in particular the German Commercial Code (Handelsgesetzbuch - HGB), the Fiscal Code (Abgabenordnung - AO), the Banking Act (Kreditwesengesetz - KWG), the Money Laundering Act (Geldwäschegesetz - GwG) and the Securities Trading Act (Wertpapierhandelsgesetz - WpHG). The time periods set out in these acts require record keeping or documentation for two to ten years.
-    Retaining evidential material in relation to statutory limitation periods. Pursuant to sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch - BGB), limitation periods can span up to 30 years, although the usual limitation period is three years.

Where data is processed in pursuance of the legitimate interests of the Bank or a third party, the personal data is deleted as soon as that legitimate interest no longer overrides your interests or fundamental rights that require the protection of personal information. 
The exceptions mentioned above apply, however. This also applies where consent has been given to process data. Once you revoke your consent for data to be processed in the future, your personal data is deleted unless one of the exceptions set out above applies.

7.    What are my data protection rights?

Every affected person has the right of access under article 15 GDPR, the right to rectification under article 16 GDPR, the right to erasure under article 17 GDPR, the right to restriction of processing under article 18 GDPR, the right to object under article 21 GDPR and the right to data portability under article 20 GDPR. The limitations under sections 34 and 35 BDSG apply to the right of access and erasure. There is also a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).

You can withdraw your consent to us processing your personal data at any time. This also applies to withdrawing consent given before the GDPR came into force, i.e. before 25 May 2018. Please note that the withdrawal will only apply going forwards. This means that data processing prior to the withdrawal will not be affected.

8.    Am I under any duty to provide information?

As part of our business relationship, you have to provide us with the information required to establish and conduct a business relationship and to perform any associated contractual obligations, or information we are required to obtain by law. Without this personal data, we will generally have to decline to enter into the contract or execute the order, or to cease performing obligations under an existing contract and terminate it.

In particular, we are required under anti-money laundering regulations to identify you using your ID documentation in order to begin our business relationship. This includes collecting and verifying your name, place and date of birth, nationality, residence and official ID information. To comply with these legal obligations, you have to provide us with the necessary information and documentation required by the provisions of the GwG and immediately bring to our attention any subsequent changes arising over the course of our business relationships. If you do not provide us with the necessary information and documentation, we are prohibited from entering into or continuing a business relationship with you as requested.

9.    How much of the decision-making process is automated?

To establish and conduct a business relationship, we generally do not use a fully automated decision-making process as defined in article 22 GDPR. If we use such a procedure in individual cases, we will provide you with a separate notification that we are doing so as well as your rights where we are legally required to do so.

10.    Is there any profiling?

Some of the personal data we process is processed automatically with the aim of analysing certain personal aspects (profiling). We carry out profiling in the following cases:

-    Due to legal requirements, we have a duty to prevent money laundering and fraud. As part of this process, we analyse data (such as payments). These measures are also designed to protect you.
-    In order to tailor information and advice about products to you, we use analysis tools. These make it possible for us to communicate with and advertise to you in a way that suits your needs, including market and opinion research.
-    We use scoring as part of our process for assessing your creditworthiness. This includes calculating the probability that a client will not comply with his or her payment obligations as contractually required. The calculation takes into account things such as income situation, expenses, existing debt, profession, length of employment, prior business relationship experiences, due contractual repayment of previous loans as well as information from credit agencies. The scoring system is based on a mathematically and statistically recognised and accepted procedure. The resulting scores help us to make a decision about business transactions and are incorporated into our ongoing risk management.

Information about your right to object under article 21 of the General Data Protection Regulation (GDPR)

Circumstances where you have a right to object

You have the right to object at any time for reasons relating to your particular situation to the processing of personal data concerning you where the data processing is based on article 6(1)(e) GDPR (data processing in the public interest) and article 6(1)(f) GDPR (data processing to determine the balance of interests); this also applies to any profiling as defined by article 4(4) GDPR as provided for.

If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons that outweigh your interests, rights and liberties, or where the processing serves to enforce, exercise or defend legal rights.

Right to object where data is processed for marketing purposes

In some cases we process your personal data for direct marketing. You have the right at any time to object to personal data concerning you being processed for any such marketing purposes; this also applies to profiling in connection with direct marketing.

If you object to us processing your personal data for direct marketing purposes, we will not continue to do so.

No special form is needed to object, but wherever possible please send your objection to:

Deutsche Pfandbriefbank AG
Data Protection Officer
Parkring 28
85748 Garching, Germany

Telephone: +49 89 2880 0
Fax:            +49 89 2880 10319
E-mail:        group.dataprotection(at)pfandbriefbank.com