Data protection information under the EU General Data ... · 2 / 3 Data protection information under the EU General Data Protection Regulation for “natural persons” 000 00000

1 / 3

Data protection information under the EU General Data Protection Regulation for “natural persons”

000 00000 00 DBEN 1868 IFC I 180112

Deutsche Bank Aktiengesellschaft

chased and used, additional personal data may be collected, processed and stored in addition to the aforementioned data. These primarily include:Account and payment transactions (incl. online banking)Order data (e. g., payment orders), data stemming from the performance of our contractual obligations (e. g., payment transaction data).Savings and depositsData stemming from the performance of our contractual obligations (e. g., transactions), tax information (e. g., information on the obligation to pay church tax), information on any third-party benefi ciaries, direct debit data, documentation data (e. g., consultation records).Securities businessInformation on knowledge of and / or experience with securities (MiFID sta-tus), investment behaviour / strategy (scope, frequency, risk appetite), oc-cupation, fi nancial situation (assets, liabilities, income from (self-)employ-ment / trade, expenses), foreseeable changes in fi nancial circumstances (e. g., age of retirement), specifi c objectives / major concerns in the future (e. g., planned acquisitions, redemption of liabilities), tax information (e. g., information on the obligation to pay church tax), documentation data (e. g., suitability statement).BausparenBauspar contract number, basic / tax data, rates, allocation / disbursement data, state funding, transaction data / history, direct debit data, third party rights, quality data.Life and pension insurance, occupational disability / long-term care insurance, private health insurancePolicy number, product data (e. g., rate, benefi t, premium), documentation data (e. g., consultation records). Where the premiums are invested in securities, the personal data listed under no. 2.3 Securities business will be used.Credit cardsOccupation, income, rental costs or construction fi nancing rate, depend-ent children, residence / work permit in the case of non-EU nationals.Consumer fi nancing (consumers)Credit records (income, expenses, third-party account statements), employer, nature and term of the employment relationship, number of de-pendent children, residence / work permit in the case of non-EU nationals, scoring / rating data, intended purpose, documentation data (e. g., consul-tation records).Construction fi nancing (consumers and self-employed persons)Credit records (salary statements, cash fl ow accounts and balance sheets, tax documentation, information / proof of assets and liabilities, guarantees assumed, third-party account statements, expenses), em-ployer, nature and term of the employment relationship, nature and term of self-employment, number of dependent children, marital property, residence / work permit in the case of non-EU nationals, scoring / rating data, information / proof of intended purpose, own and external collateral: property documentation (e. g., land register extracts, property appraisals), documentation data (e. g., consultation records).Commercial fi nancing (self-employed persons)Business credit records: cash fl ow accounts, balance sheets, business management analysis, nature and term of self-employment.Personal credit records: self-declaration with information on income and expenses as well as assets and liabilities, salary statements, tax docu-mentation, proof of assets, guarantees assumed, number of dependent children, marital property regime, residence / work permit in the case of non-EU nationals, scoring / rating data, information / proof of intended pur-pose, information on collateral furnished, property documentation (e. g., land register extracts, property appraisals).In the case of personal guarantees by third parties (external collateral), the bank may impose comparable requirements on the respective guarantors to disclose the economic and fi nancial circumstances.Interest rate and currency managementInformation on knowledge of and / or experience with interest rate / cur-rency products / fi nancial investment (MiFID status), investment behav-iour / strategy (scope, frequency, risk appetite), occupation, fi nancial situa-tion (assets, liabilities, income from (self-)employment / trade, expenses), foreseeable changes in fi nancial circumstances (e. g., age of retirement),

January, 2018

The following information provides an overview of how we process your personal data and your rights under data protection law. Which specifi c data are processed and how they are used depends largely on the servic-es requested or agreed in each case.Please also forward this information to the current and future authorised representatives and benefi cial owners as well as any co-obligors under a loan. These include, e. g., benefi ciaries in the event of death, commercial attorneys-in-fact (Prokuristen) or guarantors.

1. Who is responsible for the data processing and who can I contact in this regard

Responsibility for PGK customers lies with:Deutsche Bank Privat- und Geschäftskunden AGTheodor-Heuss-Allee 7260486 Frankfurt am MainTel: + 49 (69) 910-10000Fax: + 49 (69) 910-10001E-mail: [email protected]

You can reach our corporate data protection offi cer for PGK customers at:Deutsche Bank Privat- und Geschäftskunden AGData protection offi cerTheodor-Heuss-Allee 7260486 Frankfurt am MainTel: + 49 (69) 910-10000E-mail: [email protected]

Responsibility for AG customers lies with:Deutsche Bank AGTaunusanlage 1260325 Frankfurt am MainTel: + 49 (69) 910-10000Fax: + 49 (69) 910-10001E-mail: [email protected]

You can reach our corporate data protection offi cer for AG customers at:Deutsche Bank AGData protection offi cerTaunusanlage 1260325 Frankfurt am MainTel: + 49 (69) 910-10000E-mail: [email protected]

2. What sources and data do we useWe process personal data which we receive from our clients in the con-text of our business relationship. To the extent necessary in order to pro-vide our services, we also process personal data which we lawfully (e. g., for executing orders, performing contracts or on the basis of your consent) receive from other entities within the Deutsche Bank Group or other third parties (e. g., SCHUFA). We also process personal data from publicly available sources (e. g., debtor directories, land registers, commercial registers and registers of associations, press, media, Internet) which we lawfully obtain and are permitted to process.Relevant personal data collected in dealing with prospective clients, master data set-up, in the context of authorisation (account authorisation and / or credit card holder) or as a co-obligor under a loan (e. g., guarantor) may be:Name, address / other contact information (telephone, e-mail address), date / place of birth, gender, nationality, marital status, legal capacity, occu-pational group code / partner type (employed / self-employed), residential status (rental / ownership), identifi cation data (e. g., identifi cation document data), authentication data (e. g., specimen signature), tax-ID, FATCA sta-tus, SCHUFA score, EU basic payment account identifi cation.When products / services from the product categories listed below are pur-

Applicable for current and potential customers of Deutsche Bank Privat- und Geschäftskunden AG and Deutsche Bank AG (both hereinafter referred to as “the Bank”).

2 / 3


000 00000 00 DBEN 1868 IFC I 180112


specifi c objectives / major concerns in the future (e. g., planned acquisi-tions, redemption of liabilities), tax information (e. g., information on the obligation to pay church tax), documentation data (e. g., consultation records).Client contact informationIn the business origination and development phase and over the course of the business relationship, particularly as a result of personal, telephone or written contact initiated by you or the bank, additional personal data is created, e. g., information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information on participa-tion in direct marketing activities.Digital servicesWith respect to data processed when using digital service products, please refer to further information on data protection in connection with the respective digital service (for instance, processing transaction data from integrated third-party bank accounts in the context of multi-bank aggrega-tion when using the FinanzPlaner App).

3. Why do we process your data (purpose of the processing) and on what legal basis

We process the aforementioned personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):a. for the performance of contractual obligations (article 6 (1) b) GDPR)The processing of personal data is carried out in order to perform banking transactions and fi nancial services pursuant to contracts with our clients or to take steps at your request prior to entering into a contract.The purposes of the data processing are primarily dependent on the specifi c product (see no. 2) and may include, among other things, require-ments analyses, advice, asset management and transactional services. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.b. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)Where necessary, we process your data above and beyond the actual per-formance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:— Consulting and exchanging data with credit agencies (e. g., SCHUFA)

to determine credit or default risks and requirements in the case of a garnishment protection account or basic payment account

— Evaluating and optimising procedures for demand analysis and for ap-proaching clients directly; incl. client segmentation and calculating the likelihood of closure.

— Advertising or market and opinion research, to the extent that you have not objected to having your data used

— Asserting legal claims and mounting a defence in the event of litigation— Ensuring the bank’s IT security and IT operations— Preventing crimes— Video surveillance to safeguard against trespassers, to gather evi-

dence in the event of robbery or fraud or to document disposals and deposits, e. g., at ATMs

— Measures for building and systems security (e. g., admittance control)— Measures to ensure against trespassing— Measures to manage business and further develop services and prod-

ucts— Group risk managementc. on the basis of your consent (article 6 (1) a) GDPR)Insofar as you have granted us consent to the processing of personal data for specifi c purposes (e. g., transfer of data within the association / Group), the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future.

Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status overview of the consents you have granted from us at any time or view some of them when banking online.d. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)As a bank, we are also subject to various legal obligations, i. e., statutory requirements (e. g., the German Banking Act (Kreditwesengesetz – KWG), the German Money Laundering Act (Geldwäschegesetz – GWG), the Ger-man Securities Trading Act (Wertpapierhandelsgesetz – WpHG), tax laws) as well as banking supervisory requirements (e. g., the European Central Bank, the European Banking Supervisory Authority, Deutsche Bundes-bank and the German Federal Financial Supervisory Authority (Bundes-anstalt für Finanzdienstleistungsaufsicht – BaFin). Other purposes of processing include credit checks, identity and age verifi cation, anti-fraud and anti-money laundering measures, the satisfaction of tax law control and reporting obligations as well as the assessment and management of risks in the bank and the Group.

4. Who receives my dataWithin the bank, those offi ces are given access to your data which require them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe banking secrecy and our written instruc-tions under data protection law. These are mainly companies from the categories listed below.With regard to the transfer of data to recipients outside the bank, it must fi rst of all be noted that as a bank we are under a duty to maintain secre-cy about any customer-related facts and evaluations of which we may have knowledge (Banking secrecy under no. 2 of our General Business Conditions). We may only disclose information about you if we are legally required to do so, if you have given your consent, if we are authorised to provide bank information and / or if processors commissioned by us guarantee compliance with banking secrecy and the provisions of the GDPR / BDSG).Under these conditions, recipients of personal data may be, for example:— Public authorities and institutions (e. g., Deutsche Bundesbank,

BaFin, the European Banking Authority, the European Central Bank, tax offi ces, the German Federal Central Tax Offi ce (Bundeszentralamt für Steuern) insofar as a statutory or offi cial obligation exists.

— Other credit and fi nancial services institutions, comparable institutions and processors to whom we transfer personal data in order to perform the business relationship with you. Specifi cally: processing of bank references, support / maintenance of EDP / IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing / procurement, space management, real estate appraisals, loan processing service, collateral management, collection, payment card processing (debit card / credit cards), customer manage-ment, lettershops, marketing, media technology, reporting, research, risk controlling, expense accounting, telephony, video identifi cation, website management, investment services, share register, fund man-agement, auditing services, payment transactions.

Other recipients of data may be those offi ces to which you have given your consent to the transfer of data or with respect to which you have exempted us from banking secrecy by agreement or consent.

5. Is data transferred to a third country or to an international organisation

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your orders (e. g. payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you have given us your consent or in the con-text of commissioned data processing. If service providers in a third coun-try are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

3 / 3


000 00000 00 DBEN 1868 IFC I 180112


6. How long will my data be storedWe process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for several years.If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:— Compliance with records retention periods under commercial and tax

law, such as the German Commercial Code (Handelsgesetzbuch – HGB); the German Tax Code (Abgabenordnung – AO); the Banking Act (Kreditwesengesetz – KWG); the Money Laundering Act (Geld-wäschegesetz – GwG); and the Securities Trading Act (Wertpapier-handelsgesetz – WpHG). The records retention periods prescribed therein range from two to 10 years.

— Preservation of evidence within the scope of statutes of limitations. Un-der section 195 et seq. of the German Civil Code (Bürgerliches Gesetz-buch – BGB), these limitation periods may be up to 30 years, whereby the regular limitation period is three years.

7. What data protection rights do I haveEvery data subject has a right of access (article 15 GDPR), a right to rec-tifi cation (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of ac-cess and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revoca-tion will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.Deutsche Bank Bauspar AG is the counterparty of the Bauspar contracts you have entered into; our cooperation partners, Zurich Deutscher Herold Lebensversicherungs AG (endowment / risk insurance) and DKV (health insurance), are the counterparties of the insurance contracts you have directly entered into. Please contact the Data Protection Offi cers of the aforementioned organisations directly regarding your data protection rights.

8. Am I under any obligation to provide dataWithin the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of a business rela-tionship and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with section 4 (6) GWG and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue your requested business relationship.

9. To what extent is automated decision-making (including profi ling) carried out

As a rule, we do not make decisions based solely on automated process-ing as defi ned in article 22 GDPR to establish and implement the business relationship. If we use these procedures in individual cases, we will inform you of this separately, provided that this is prescribed by law.

10. Is “profi ling” usedIn some cases, we process your data automatically with the aim of evalu-ating certain personal aspects (profi ling). For instance, we use profi ling in the following cases:— We are required by law to take anti-money laundering and anti-fraud

measures. Data evaluations are also carried out (in payment transac-tions, among other things) in this context. These measures also serve to protect you.

— In order to provide you with targeted information and advice on prod-ucts, we use evaluation tools. These enable demand-oriented commu-nication and advertising, including market and opinion research.

— We use scoring to assess your creditworthiness. We calculate the likeli-hood that a given client will meet their contractual payment obligations. The calculation may include, for example, income levels, expenses, existing liabilities, occupation, length of employment, experiences from the previous business relationship, repayment of prior loans in accord-ance with the contract, and information from credit agencies. Scoring is based on a mathematically and statistically recognised and proven pro-cedure. The calculated score values assist us in our decision-making and are incorporated into ongoing risk management.

Information on your right to object under article 21 of the EU Gener-al Data Protection Regulation (GDPR)1. Ad hoc right to objectYou have the right to object, on grounds relating to your particular situ-ation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legit-imate interests); this includes any profi ling based on those provisions within the meaning of article 4 (4) GDPR.If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the pro-cessing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.2. Right to object to the processing of data for marketing purposesIn certain cases, we process your personal data for direct marketing pur-poses. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profi ling to the extent that it is related to such direct marketing.If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes.There are no formal requirements for lodging an objection; where possi-ble it should be made by telephone to: +49 (069) 910 10000.

1 / 2

Data protection information under the EU General Data Protection Regulation for authorised representatives / agents of “legal entities”

000 00000 00 DBEN 1869 IFC I 171207

Deutsche Bank Privat- und Geschäftskunden AG


We process the aforementioned personal data in compliance with the pro-visions of the General Data Protection Regulation (GDPR) and the Ger-man Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):a. for the performance of contractual obligations (article 6 (1) b) GDPR)The processing of personal data is carried out in order to perform banking transactions and fi nancial services pursuant to contracts with our clients or to take steps prior to entering into a contract. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.b. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)As a bank, we are also subject to various legal obligations, i. e., statutory requirements (e. g., the German Banking Act (Kreditwesengesetz – KWG), the German Money Laundering Act (Geldwäschegesetz – GWG), the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG), tax laws) as well as banking supervisory requirements (e. g., the European Central Bank, the European Banking Supervisory Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin). The purposes of processing include identity and age verifi cation as well as anti-fraud and anti-money laundering measures.c. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)Where necessary, we process your data above and beyond the actual per-formance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:— Asserting legal claims and mounting a defence in the event of litigation— Ensuring the bank’s IT security and IT operations— Preventing crimes— Video surveillance to safeguard against trespassers, to gather evi-


— Measures for building and systems security (e. g., admittance control)— Measures to ensure against trespassingd. on the basis of your consent (article 6 (1) a) GDPR)Insofar as you have granted us consent to the processing of personal data for specifi c purposes (e. g., transfer of data within the association / Group), the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future and does not apply to processing carried out prior thereto.

4. Who receives my dataWithin the bank, those offi ces are given access to your data which re-quire them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe banking secrecy and our written instructions under data protection law. With regard to the transfer of data to recipients outside the bank, it must fi rst of all be noted that as a bank we are under a duty to maintain secrecy about any customer-related facts and evaluations (applies equally to authorised representatives / agents) of which we may have knowledge (Banking secrecy under no. 2 of our Gen-eral Business Conditions). We may only disclose information about you if we are legally required to do so, if you have given your consent and / or if processors commissioned by us guarantee compliance with banking se-crecy and the provisions of the GDPR / BDSG.

December, 2017

The following information provides an overview of how we process your personal data and your rights under data protection law. Which specifi c data are processed and how they are used is explained below.Please also forward this information to the current and future authorised representatives and benefi cial owners as well as any co-obligors under a loan. These include, e. g., benefi ciaries in the event of death, commercial attorneys-in-fact (Prokuristen) or guarantors.


Responsibility for PGK customers lies with:Deutsche Bank Privat- und Geschäftskunden AGTheodor-Heuss-Allee 7260486 Frankfurt am MainTel: + 49 (69) 910-10000Fax: + 49 (69) 910-10001E-mail: [email protected]

You can reach our corporate data protection offi cer for PGK customers at:Deutsche Bank Privat- und Geschäftskunden AGData protection offi cerTheodor-Heuss-Allee 7260486 Frankfurt am MainTel: + 49 (69) 910-10000E-mail: [email protected]

Responsibility for AG customers lies with:Deutsche Bank AGTaunusanlage 1260325 Frankfurt am MainTel: + 49 (69) 910-10000Fax: + 49 (69) 910-10001E-mail: [email protected]

You can reach our corporate data protection offi cer for AG customers at:Deutsche Bank AGData protection offi cerTaunusanlage 1260325 Frankfurt am MainTel: + 49 (69) 910-10000E-mail: [email protected]

2. What sources and data do we useWe process personal data that we receive from you in your capacity as the authorised representative / agent of the legal entity (prospective and / or existing client). We also process personal data from publicly available sources (e. g., commercial registers and registers of associations media, Internet) which we lawfully obtain and are permitted to process.Relevant personal data of the authorised representative / agent may be: Name, address / other contact information (telephone, e-mail address), date / place of birth, gender, nationality, marital status, legal capacity, em-ployed / self-employed, identifi cation data (e. g., identifi cation document data), authentication data (e. g., specimen signature), tax-ID.When products / services are purchased and used, additional personal data may be collected, processed and stored in addition to the aforemen-tioned data. These primarily include:Information and records on knowledge of and / or experience with securi-ties, interest rate / currency products / fi nancial investments (MiFID status: suitability / appropriateness test).

Applicable for current and potential customers of Deutsche Bank Privat- und Geschäftskunden AG and Deutsche Bank AG (both hereinafter referred to as “the Bank”).

2 / 2


000 00000 00 DBEN 1869 IFC I 171207

Deutsche Bank Privat- und Geschäftskunden AG


Data will only be transferred to bodies in countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your client‘s orders (e. g., payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you have given us your con-sent or in the context of commissioned data processing. If service provid-ers in a third country are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

6. How long will my data be storedWe process and store your personal data as long as you are authorised to represent the respective legal entity in dealings with us.If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:— Compliance with records retention periods under commercial and tax



7. What data protection rights do I haveEvery data subject has a right of access (article 15 GDPR), a right to rec-tifi cation (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of ac-cess and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the General Data Protection Regula-tion, i. e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.

8. Am I under any obligation to provide dataWithin the scope of our business relationship with the legal entity you represent in dealings with us, you must provide personal data which is necessary for accepting and executing any representative authority / au-thorisation and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to accept you as the authorised representative / agent without these data or we would have to revoke any existing representative authority / author-isation.In particular, provisions of money laundering law require that we verify your identity before establishing the authority / authorisation, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with section 4 (6) GWG and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to institute or continue the representative authority / authorisation requested by the respective legal entity.

Information on your right to object under article 21 of the General Data Protection Regulation (GDPR)Ad hoc right to objectYou have the right to object, on grounds relating to your particular situ-ation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legit-imate interests).If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the pro-cessing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.There are no formal requirements for lodging an objection; where possi-ble it should be made by telephone to: +49 (069) 910 -10000.

1 / 3


003 00000 00 DBEN 1834 IFC I 180112

January, 2018

Securities businessInformation on knowledge of and / or experience with securities (MiFID sta-tus), investment behaviour / strategy (scope, frequency, risk appetite), oc-cupation, financial situation (assets, liabilities, income from (self-)employ-ment / trade, expenses), foreseeable changes in financial circumstances (e. g., age of retirement), specific objectives / major concerns in the future (e. g., planned acquisitions, redemption of liabilities), tax information (e. g., information on the obligation to pay church tax), documentation data (e. g., suitability statement).Life and pension insurance Policy number, product data (e. g., rate, benefit, premium), documentation data (e. g., consultation records). Where the premiums are invested in securities, the personal data listed under no. 2.3 Securities business will be used.Credit cardsOccupation, income, rental costs or construction financing rate, depend-ent children, residence / work permit in the case of non-EU nationals.Consumer financing (consumers)Credit records (income, expenses, third-party account statements), employer, nature and term of the employment relationship, number of de-pendent children, residence / work permit in the case of non-EU nationals, scoring / rating data, intended purpose, documentation data (e. g., consul-tation records).Structured fi nancing (consumers and self-employed persons) Credit records (salary statements, cash flow accounts and balance sheets, tax documentation, information / proof of assets and liabilities, guarantees assumed, third-party account statements, expenses), em-ployer, nature and term of the employment relationship, nature and term of self-employment, number of dependent children, marital property, residence / work permit in the case of non-EU nationals, scoring / rating data, information / proof of intended purpose, own and external collateral: property documentation (e. g., land register extracts, property appraisals), documentation data (e. g., consultation records).In the case of personal guarantees by third parties (external collateral), the bank may impose comparable requirements on the respective guarantors to disclose the economic and financial circumstances.Interest rate, currency and liquidity managementInformation on knowledge of and / or experience with interest rate / cur-rency products / financial investment (MiFID status), investment behav-iour / strategy (scope, frequency, risk appetite), occupation, financial situa-tion (assets, liabilities, income from (self-)employment / trade, expenses), foreseeable changes in financial circumstances (e. g., age of retirement), specific objectives / major concerns in the future (e. g., planned acquisi-tions, redemption of liabilities), tax information (e. g., information on the obligation to pay church tax), documentation data (e. g., consultation records).Client contact informationIn the business origination and development phase and over the course of the business relationship, particularly as a result of personal, telephone or written contact initiated by you or the bank, additional personal data is created, e. g., information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information on participa-tion in direct marketing activities.Digital servicesWith respect to data processed when using digital service products, please refer to further information on data protection in connection with the respective digital service (for instance, processing transaction data from integrated third-party bank accounts in the context of multi-bank aggregation).

The following information provides an overview of how we process your personal data and your rights under data protection law. Which specifi c data are processed and how they are used depends largely on the servic-es requested or agreed in each case.Please also forward this information to the current and future authorised representatives and benefi cial owners as well as any co-obligors under a loan. These include, e. g., benefi ciaries in the event of death, commercial attorneys-in-fact (Prokuristen) or guarantors.


Controller:Deutsche Bank AGTaunusanlage 1260325 Frankfurt am MainTel:+ 49 (69) 910-10000Fax:+ 49 (69) 910-10001E-mail: [email protected] internal data protection offi cer may be contacted atDeutsche Bank AGData protection offi cerTaunusanlage 1260325 Frankfurt am MainTel:+ 49 (69) 910-10000E-mail: [email protected]

2. What sources and data do we useWe process personal data which we receive from our clients in the context of our business relationship. To the extent necessary in order to provide our services, we also process personal data which we lawfully (e. g., for executing orders, performing contracts or on the basis of your consent) receive from other entities within the Deutsche Bank Group or other third parties (e. g., SCHUFA). We also process personal data from publicly available sources (e. g., debtor directories, land registers, commercial registers and registers of associations, press, media, Internet) which we lawfully obtain and are permitted to process.Relevant personal data collected in dealing with prospective clients, master data set-up, in the context of authorisation (account authorisation and / or credit card holder) or as a co-obligor under a loan (e. g., guarantor) may be:Name, address / other contact information (telephone, e-mail address), date / place of birth, gender, nationality, marital status, legal capacity, occu-pational group code / partner type (employed / self-employed), residential status (rental / ownership), identification data (e. g., identification document data), authentication data (e. g., specimen signature), tax-ID, FATCA sta-tus, SCHUFA score.When products / services from the product categories listed below are pur-chased and used, additional personal data may be collected, processed and stored in addition to the aforementioned data. These primarily include:Account and payment transactions (incl. online banking)Order data (e. g., payment orders), data stemming from the performance of our contractual obligations (e. g., payment transaction data).Savings and depositsData stemming from the performance of our contractual obligations (e. g., transactions), tax information (e. g., information on the obligation to pay church tax), information on any third-party beneficiaries, direct debit data, documentation data (e. g., consultation records).

Deutsche BankWealth Management

2 / 3


003 00000 00 DBEN 1834 IFC I 180112

January, 2018


We process the aforementioned personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):a. for the performance of contractual obligations (article 6 (1) b) GDPR)The processing of personal data is carried out in order to perform banking transactions and fi nancial services pursuant to contracts with our clients or to take steps at your request prior to entering into a contract.The purposes of the data processing are primarily dependent on the specifi c product (see no. 2) and may include, among other things, require-ments analyses, advice, asset management and transactional services. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.b. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)Where necessary, we process your data above and beyond the actual per-formance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:— Consulting and exchanging data with credit agencies (e. g., SCHUFA)

to determine credit or default risks and requirements in the case of a garnishment protection account

— Evaluating and optimising procedures for demand analysis and for ap-proaching clients directly; incl. client segmentation and calculating the likelihood of closure.

— Advertising or market and opinion research, to the extent that you have not objected to having your data used

— Asserting legal claims and mounting a defence in the event of litigation— Ensuring the bank’s IT security and IT operations— Preventing crimes— Video surveillance to safeguard against trespassers, to gather evi-


— Measures for building and systems security (e. g., admittance control)— Measures to ensure against trespassing— Measures to manage business and further develop services and prod-

ucts— Group risk managementc. on the basis of your consent (article 6 (1) a) GDPR)Insofar as you have granted us consent to the processing of personal data for specifi c purposes (e. g., transfer of data within the association / Group), the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future. Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status overview of the consents you have granted from us at any time or view some of them when banking online.d. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)As a bank, we are also subject to various legal obligations, i. e., statutory requirements (e. g., the German Banking Act (Kreditwesengesetz – KWG), the German Money Laundering Act (Geldwäschegesetz – GWG), the Ger-man Securities Trading Act (Wertpapierhandelsgesetz – WpHG), tax laws) as well as banking supervisory requirements (e. g., the European Central Bank, the European Banking Supervisory Authority, Deutsche Bundes-bank and the German Federal Financial Supervisory Authority (Bundes-anstalt für Finanzdienstleistungsaufsicht – BaFin). Other purposes of processing include credit checks, identity and age verifi cation, anti-fraud and anti-money laundering measures, the satisfaction of tax law control and reporting obligations as well as the assessment and management of risks in the bank and the Group.

4. Who receives my dataWithin the bank, those offi ces are given access to your data which require them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe banking secrecy and our written instruc-tions under data protection law. These are mainly companies from the categories listed below.With regard to the transfer of data to recipients outside the bank, it must fi rst of all be noted that as a bank we are under a duty to maintain secre-cy about any customer-related facts and evaluations of which we may have knowledge (Banking secrecy under no. 2 of our General Business Conditions). We may only disclose information about you if we are legally required to do so, if you have given your consent, if we are authorised to provide bank information and / or if processors commissioned by us guarantee compliance with banking secrecy and the provisions of the GDPR / BDSG).Under these conditions, recipients of personal data may be, for example:— Public authorities and institutions (e. g., Deutsche Bundesbank,

BaFin, the European Banking Authority, the European Central Bank, tax offi ces, the German Federal Central Tax Offi ce (Bundeszentralamt für Steuern) insofar as a statutory or offi cial obligation exists.

— Other credit and fi nancial services institutions, comparable institutions and processors to whom we transfer personal data in order to perform the business relationship with you. Specifi cally: processing of bank references, support / maintenance of EDP / IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing / procurement, space management, real estate appraisals, loan processing service, collateral management, collection, payment card processing (debit card / credit cards), customer manage-ment, lettershops, marketing, media technology, reporting, research, risk controlling, expense accounting, telephony, video identifi cation, website management, investment services, share register, fund man-agement, auditing services, payment transactions.

Other recipients of data may be those offi ces to which you have given your consent to the transfer of data or with respect to which you have exempted us from banking secrecy by agreement or consent.


Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your orders (e. g. payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you have given us your consent or in the con-text of commissioned data processing. If service providers in a third coun-try are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

6. How long will my data be storedWe process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for several years.If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:— Compliance with records retention periods under commercial and tax



3 / 3


003 00000 00 DBEN 1834 IFC I 180112

January, 2018


7. What data protection rights do I haveEvery data subject has a right of access (article 15 GDPR), a right to rec-tifi cation (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of ac-cess and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revoca-tion will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.Our cooperation partner, Zurich Deutscher Herold Lebensversicherungs AG (endowment /risk insurance) is the counterparty of the insurance con-tracts you have directly entered into. Please contact the Data Protection Offi cer of the aforementioned organisation directly regarding your data protection rights.

8. Am I under any obligation to provide dataWithin the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of a business rela-tionship and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with section 4 (6) GWG and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue your requested business relationship.

9. To what extent is automated decision-making (including profi ling) carried out

As a rule, we do not make decisions based solely on automated process-ing as defi ned in article 22 GDPR to establish and implement the business relationship. If we use these procedures in individual cases, we will inform you of this separately, provided that this is prescribed by law.

10. Is “profi ling” usedIn some cases, we process your data automatically with the aim of evalu-ating certain personal aspects (profi ling). For instance, we use profi ling in the following cases:— We are required by law to take anti-money laundering and anti-fraud

measures. Data evaluations are also carried out (in payment transac-tions, among other things) in this context. These measures also serve to protect you.

— In order to provide you with targeted information and advice on prod-ucts, we use evaluation tools. These enable demand-oriented commu-nication and advertising, including market and opinion research.

— We use scoring to assess your creditworthiness. We calculate the likeli-hood that a given client will meet their contractual payment obligations. The calculation may include, for example, income levels, expenses, existing liabilities, occupation, length of employment, experiences from the previous business relationship, repayment of prior loans in accord-ance with the contract, and information from credit agencies. Scoring is based on a mathematically and statistically recognised and proven pro-cedure. The calculated score values assist us in our decision-making and are incorporated into ongoing risk management.

Information on your right to object under article 21 of the EU Gener-al Data Protection Regulation (GDPR)1. Ad hoc right to objectYou have the right to object, on grounds relating to your particular situ-ation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legit-imate interests); this includes any profi ling based on those provisions within the meaning of article 4 (4) GDPR.If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the pro-cessing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.2. Right to object to the processing of data for marketing purposesIn certain cases, we process your personal data for direct marketing pur-poses. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profi ling to the extent that it is related to such direct marketing.If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes.There are no formal requirements for lodging an objection; where possi-ble it should be made by telephone to: +49 (069) 910 10000.


1 / 2


003 00000 00 DBEN 1836 IFC I 171121

December, 2017

(Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin). The purposes of processing include identity and age verifi cation as well as anti-fraud and anti-money laundering measures.c. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)Where necessary, we process your data above and beyond the actual per-formance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:— Asserting legal claims and mounting a defence in the event of litigation— Ensuring the bank’s IT security and IT operations— Preventing crimes— Video surveillance to safeguard against trespassers, to gather evi-


— Measures for building and systems security (e. g., admittance control)— Measures to ensure against trespassingd. on the basis of your consent (article 6 (1) a) GDPR)Insofar as you have granted us consent to the processing of personal data for specifi c purposes (e. g., transfer of data within the association / Group), the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future and does not apply to processing carried out prior thereto.

4. Who receives my dataWithin the bank, those offi ces are given access to your data which re-quire them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe banking secrecy and our written instructions under data protection law. With regard to the transfer of data to recipients outside the bank, it must fi rst of all be noted that as a bank we are under a duty to maintain secrecy about any customer-related facts and evaluations (applies equally to authorised representatives / agents) of which we may have knowledge (Banking secrecy under no. 2 of our Gen-eral Business Conditions). We may only disclose information about you if we are legally required to do so, if you have given your consent and / or if processors commissioned by us guarantee compliance with banking se-crecy and the provisions of the GDPR / BDSG.


Data will only be transferred to bodies in countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your client‘s orders (e. g., payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you have given us your con-sent or in the context of commissioned data processing. If service provid-ers in a third country are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

6. How long will my data be storedWe process and store your personal data as long as you are authorised to represent the respective legal entity in dealings with us.If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:— Compliance with records retention periods under commercial and tax


The following information provides an overview of how we process your personal data and your rights under data protection law. Which specifi c data are processed and how they are used is explained below.Please also forward this information to the current and future authorised representatives and benefi cial owners as well as any co-obligors under a loan. These include, e. g., benefi ciaries in the event of death, commercial attorneys-in-fact (Prokuristen) or guarantors.


Controller:Deutsche Bank AGTaunusanlage 1260325 Frankfurt am MainTelefon: (069) 910-10000Fax: (069) 910-10001E-mail: [email protected]

Our internal data protection offi cer may be contacted atDeutsche Bank AGData protection offi cerTaunusanlage 1260325 Frankfurt am MainTelefon: (069) 910-10000E-mail: [email protected]

2. What sources and data do we useWe process personal data that we receive from you in your capacity as the authorised representative / agent of the legal entity (prospective and / or existing client). We also process personal data from publicly available sources (e. g., commercial registers and registers of associations media, Internet) which we lawfully obtain and are permitted to process.Relevant personal data of the authorised representative / agent may be:Name, address / other contact information (telephone, e-mail address), date / place of birth, gender, nationality, marital status, legal capacity, em-ployed / self-employed, identifi cation data (e. g., identifi cation document data), authentication data (e. g., specimen signature), tax-ID.When products / services are purchased and used, additional personal data may be collected, processed and stored in addition to the aforemen-tioned data. These primarily include:Information and records on knowledge of and / or experience with securi-ties, interest rate / currency products / fi nancial investments (MiFID status: suitability / appropriateness test).


We process the aforementioned personal data in compliance with the pro-visions of the General Data Protection Regulation (GDPR) and the Ger-man Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):a. for the performance of contractual obligations (article 6 (1) b) GDPR)The processing of personal data is carried out in order to perform banking transactions and fi nancial services pursuant to contracts with our clients or to take steps prior to entering into a contract. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.b. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)As a bank, we are also subject to various legal obligations, i. e., statutory requirements (e. g., the German Banking Act (Kreditwesengesetz – KWG), the German Money Laundering Act (Geldwäschegesetz – GWG), the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG), tax laws) as well as banking supervisory requirements (e. g., the European Central Bank, the European Banking Supervisory Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority


2 / 2


003 00000 00 DBEN 1836 IFC I 171121

December, 2017


7. What data protection rights do I haveEvery data subject has a right of access (article 15 GDPR), a right to rec-tifi cation (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of ac-cess and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the General Data Protection Regula-tion, i. e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.

8. Am I under any obligation to provide dataWithin the scope of our business relationship with the legal entity you represent in dealings with us, you must provide personal data which is necessary for accepting and executing any representative authority / au-thorisation and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to accept you as the authorised representative / agent without these data or we would have to revoke any existing representative authority / author-isation.In particular, provisions of money laundering law require that we verify your identity before establishing the authority / authorisation, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with section 4 (6) GWG and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to institute or continue the representative authority / authorisation requested by the respective legal entity.

Information on your right to object under article 21 of the General Data Protection Regulation (GDPR)Ad hoc right to objectYou have the right to object, on grounds relating to your particular situ-ation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legit-imate interests).If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the pro-cessing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.There are no formal requirements for lodging an objection; where possi-ble it should be made by telephone to: +49 (069) 910 -10000.


Documents

Data protection information under the EU General Data ... · 2 / 3 Data protection information under the EU General Data Protection Regulation for “natural persons” 000 00000