Privacy policy - contractors

Transcription

1 Dear business partner, Dear Sir or Madam, please find below some frequently asked questions about how your personal data is processed by DZ BANK, as well as the rights and claims which you are entitled to under data protection law. We are providing you with this guidance because DZ BANK may collect and process your personal data in conjunction with the purchasing and commissioning of services in accordance with the General Terms of DZ BANK for the Purchase and Commissioning of Services (AEB) and other contract documents. The specific data which is collected and the manner in which it is processed depends on the specific service and the stage of the commissioning process it has reached. 1. Who is responsible for processing my personal data and whom can I contact about it? The party responsible for processing your personal data (the controller) is: DZ BANK AG Platz der Republik, Frankfurt am Main Post: Frankfurt am Main Telephone: Fax: mail@dzbank.de You can also use this contact information if you have any enquiries related to data protection. If you would prefer to direct your enquiry to the DZ BANK data protection officer, they can be contacted at: DZ BANK AG Data protection officer Frankfurt am Main Telephone: Fax: Datenschutz@dzbank.de Any references to we or us refer to DZ BANK acting as the controller. Valid from May /6

2 2. What kind of data do we use, and where do we get it from? We process personal data which we receive from you in the context of our business relationship. Whenever the circumstances surrounding our business relationship require it, we also process personal data provided to us by other companies of the Volksbanken Raiffeisenbanken cooperative financial network and other third parties (e.g. SCHUFA and other credit agencies such as Bisnode, Creditreform, Schimmelpfeng, DHL and UPS address records, etc.) whenever we are permitted to do so (e.g. in order to execute orders, perform contracts or on the basis of your consent). We also process personal data which we are permitted to acquire from publicly accessible sources (e.g. debtors reports, title registers, trading and association registers, the press, the media, DHL and UPS address records). This personal data is made up of personal information (name, address and other contact information, date and place of birth and nationality), legitimation information (e.g. ID information) and authentication information (e.g. sample of signature). Personal data can also include order data (e.g. payment order), data related to the fulfilment of our contractual obligations (e.g. revenue data from payments processing, account data, accounting data, controlling data, credit limits, and product data such as deposits, loans and custody account business), information about your financial situation (e.g. credit rating, scoring/writing data, the source of your assets), advertising and marketing data (including advertising scores), documentation data (e.g. records of advice which has been given), register data, data about how you use our telemedia offerings (e.g. when you access our websites, apps or newsletters, the pages or entries which you click on) and other similar data. 3. For what purpose do we process your data, and on what legal basis? We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG): 3.1 In order to fulfil contractual obligations (Article 6(1b) GDPR) We process your personal data (Article 4(2) of the GDPR) to perform our contract with you or to take steps prior to entering into a contract. We also process your personal data in the context of the commissioning and execution of our orders, as well as for the purpose of activities related to the operation and administration of a credit or financial services institution. The precise purposes for which your personal data is processed is primarily dependent on the service which has been agreed or which will be agreed in future. These purposes can include needs assessments, advice and performing transactions. Additional details regarding the purpose for which your personal data is processed are provided in the relevant contract documents and terms and conditions. 3.2 For the purpose of legitimate interests (Article 6(1f) of the GDPR) If necessary, we will process your data beyond the scope of simply performing the contract for the purpose of legitimate interests pursued by us or a third party, e.g. Valid from May /6

3 consulting and exchanging information with information providers (e.g. SCHUFA and other credit agencies) in order to identify credit and default risks and the need for a non-seizable account or base account; reviewing and optimising the processes we use to analyse your needs and make contact with you directly; asserting legal claims and defending against legal disputes; guaranteeing the security and functionality of the bank s IT system; preventing and resolving criminal offences; video surveillance is used to collect evidence related to criminal offences, usage and deposits (at ATMs, for example). It protects customers and employees, and ensures that only authorised parties are granted access to data; building and facility security measures (e.g. access control); measures to ensure the safety of our buildings; measures related to management and the improvement of services and products. 3.3 On the basis of your consent (Article 6(1a) of the GDPR) If you give us your consent to process your personal data for specific purposes (e.g. passing on your data within the Group/cooperative financial network, evaluating payment data for marketing purposes), then this processing is considered lawful on the basis of your consent. You can withdraw your consent at any time. You can also withdraw any consent which you gave us before the GDPR came into effect (that is before 25 May 2018), such as the SCHUFA clause. Please note that withdrawing your consent will only have an effect going forwards. It does not affect the legality of any processing performed on the basis of your consent before you withdrew it. 3.4 On the basis of statutory requirements (Article 6(1c) of the GDPR) or in the public interest (Article 6(1e) of the GDPR) As a bank, we are subject to a number of legal requirements (e.g. the German Banking Act (KWG), Anti- Money Laundering Act (GwG), German Securities Trading Act (WpHG), tax legislation) and requirements imposed by regulators (e.g. the European Central Bank, the European Banking Authority, the German Central Bank and the Federal Financial Supervisory Authority). The purposes for which we process your personal data include credit checks, checking your identity and age, preventing fraud and money laundering, complying with control and reporting obligations under tax law and evaluating and managing risks. 4. Who receives my data? Your data is only made available within the bank to the extent required in order for us to comply with our contractual and statutory obligations. Contractors which we use (Article 28 of the GDPR) may also receive data for the aforementioned purposes. These include credit agencies, IT service providers, logistics companies, printers, telecommunication providers, collection agencies, consulting agencies and sales and marketing companies. Information about you will only be provided to recipients outside of the bank if we are required to do so by law, you give us your consent to do so, we are required to do so in order to perform the contract or take steps prior to entering into a contract, or we are authorised to do so on the basis of a legitimate interest. If we are required to do so on the basis of a statutory obligation or an official order, personal data may be provided to the following recipients, among others: Valid from May /6

4 public bodies and institutions (e.g. German Central Bank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, financial authorities). Other credit or financial services institutions or similar institutions to which we provide to your personal data for the purpose of the business relationship with you (these can include companies of the Volksbanken Raiffeisenbanken cooperative financial network, correspondent banks, custodian banks, exchanges and information providers, depending on the contract). Your data may also be provided to other recipients if you have given us your consent to do so. 5. How long will you keep my data for? If necessary, we will process and store your personal data for the duration of our business relationship. This includes the periods required to prepare and wind up a contract. Please note that our business relationship will last for a number of years. We are also required to comply with a number of retention and documentation obligations on the basis of the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Anti- Money Laundering Act and the German Securities Trading Act, as well as other legislation. The retention and documentation periods specified in these acts last between 2 and 10 years. The retention period is ultimately determined on the basis of statutory limitation periods. Sections 195 et seq. of the German Civil Code, for example, specify a limitation period which can be of up to 30 years in certain circumstances. 6. Do you transfer personal data to a third country or an international organisation? Personal data is only transferred to third countries (i.e. countries outside of the European Economic Area) if this is required in order to perform a contract, required by law or if you have given us your consent to do so. We will provide you with the relevant details if we are required to do so by law. 7. What are my rights? Every data subject has a right of access in accordance with Article 15 of the GDPR, a right to rectification in accordance with Article 16 of the GDPR, a right to erasure in accordance with Article 17 of the GDPR, a right to restriction of processing in accordance with Article 18 of the GDPR, and a right to data portability in accordance with Article 20 of the GDPR. Your right of access and your right to erasure are subject to the restrictions of Sections 34 and 35 of the German Federal Data protection Act. You also have a right to lodge a complaint with a supervisory data protection authority (Article 77 of the GDPR in conjunction with Section 19 of the German Federal Data protection Act). 8. Do I have to provide you with my personal data? You are only required to provide the personal data which is necessary in order to establish, implement and terminate a business relationship. You are also required to provide the personal data which we are legally Valid from May /6

5 obliged to collect. Without this data, we will not normally be able to conclude the contract or execute orders. We may also be required to terminate an existing contract which we are unable to perform. 9. To what extent is my personal data used for automated individual decision-making? We do not use any fully automated decision-making processes in order to establish and implement the business relationship in accordance with Article 22 of the GDPR. If we are legally required to do so, we will inform you if we use these processes in your individual case. Valid from May /6

6 Information regarding your right to object under Article 21 of the General Data Protection Regulation (GDPR) You have the right to object at any time on grounds relating to your particular situation to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions in the sense of Article 4(4) of the GDPR which we use for credit checks or marketing purposes. If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. There are no formal requirements for objections of this kind. Whenever possible, objections should be sent to: DZ BANK AG Frankfurt am Main or by Valid from May /6