With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.

• deutsche Version

Who is responsible for data processing and who can I contact?

Responsibility lies with

Commerzbank AG
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
meinebank@commerzbank.com

You can reach our internal Data Protection Officer under

Commerzbank AG
Datenschutzbeauftragter
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
datenschutzbeauftragter@commerzbank.com

Which sources and which data do we use?

We process personal data which we receive from our clients and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as debtors‘ lists, land registers, registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from other companies of the Commerzbank Group or third parties (for example a credit bureau) to the extent necessary for rendering our services.

Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), legitimisation data (such as data from ID cards) and also authentication data (such as a specimen signature). In addition, these may also be contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions), information about your financial status (such as data on credit standing, data on scoring or rating, origin of assets), data relevant for loans (such as revenues and expenditures), advertising and sales data (including advertising scores), documentation data (such as a protocol on consultations) and other data comparable with the above-mentioned categories.

What is the purpose of processing your data (purpose of personal data processing) and on which legal basis does this take place?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG)

a) in order to comply with contractual obligations (Art. 6 (1 b) GDPR)

Data are processed for the purpose of providing and arranging banking services and financial services in connection with the performance of our agreements with our clients or for performing precontractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product (such as an account, a loan, home purchase savings plans, securities, deposits, agency services) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our General Terms and Conditions.

b) within the scope of the balancing of interests (Art. 6 (1 f) GDPR)

To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples:

c) as a result of your consent (Art. 6 (1 a) GDPR)

To the extent you have consented to the processing of personal data by us for certain purposes (such as passing on data within the Commerzbank Group, analysis of payment transaction data for marketing purposes, photographs taken in connection with events, mailing newsletters), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.

d) on the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)

Moreover, we, as a bank, are subject to various legal obligations, i.e. statutory requirements (such as the Banking Act, the Law on Money Laundering, the Securities Trading Act, tax laws) and regulations relating to the supervision of banking (e.g. of the European Central Bank, the European Banking Supervisory Agency, the German Federal Bank and the Federal Agency for the Supervision of Financial Services). The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the bank and in the Commerzbank Group.

Who will receive my data?

Within the bank, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes on the condition that they, specifically, observe banking secrecy. These are companies in the categories banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation as well as sales and marketing.

As far as passing on data to recipients outside our bank is concerned, it must first be kept in mind that we, as a bank, are obliged to keep all client-related facts and assessments we become aware of in strict confidence (banking secrecy pursuant to no. 2 of our General Terms and Conditions). As a matter of principle, we may pass on information about our clients only if this is required by law, the client has given his consent or we have been granted authority to provide a bank reference. Under these circumstances, recipients of personal data may, for example, be:

Other recipients of data may be those bodies for which you have given us your consent to data transfer or, respectively, for which you have granted an exemption from banking secrecy on the basis of an agreement or consent or to which we may transfer personal data on the basis of the balancing of interests.

Will the data be transferred to a third country or an international organisation?

Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent

Moreover, transfer to bodies in third countries is intended in the following cases:

For how long will my data be stored?

We process and store your personal data as long as this is required to meet our contractual and statutory obligations. In this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.

If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes:

What are my rights with regard to data protection?

Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).

Your consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.

Am I obliged to provide data?

Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.

Under the statutory regulations in connection with money laundering, we are especially obliged to identify you by an ID document before entering into business relations with you and, especially, to ask for and record your name, place of birth, date of birth, nationality, address and identity card details. So as to enable us to comply with these statutory obligations, you are obliged to provide the necessary information and documents in connection with the anti-money laundering law and to report any changes that may occur in the course of our business relationship. If you should fail to provide the necessary information and documents, we are not permitted to enter into the desired business relationship or to continue with such a relationship.

To what extent will decision-making be automated?

As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR for establishing and performing a business relationship. In the event that we should use such processes in individual cases (for example when applying for credit cards) we will inform you of this and of your rights in this respect separately if prescribed by law.

Will profiling take place?

Your data will be processed automatically in part with the objective of evaluating certain personal aspects (profiling). For example, we will use profiling of the following cases:

Right to object based on individual cases

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests); this also applies for profiling as defined in Article 4 point 4 GDPR.

If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.

Right to object to processing data for the purpose of direct marketing

In individual cases, we will process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling to the extent it is connected to such direct marketing.

If you do object to processing for the purposes of direct marketing, we will refrain from using your personal data for such purposes henceforth.

Recipient of an objection

Such objection may be submitted informally under the heading "objection" indicating your name, your address and your date of birth and should be addressed to:

Commerzbank AG
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
widerspruch@commerzbank.com

Information to print

• Information on data protection