Information on data protection for clients and other data subjects¹ - valid from 25/05/2018
With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.
Who is responsible for data processing and who can I contact?
Responsibility lies with
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
You can reach our internal Data Protection Officer under
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
Which sources and which data do we use?
We process personal data which we receive from our clients and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as debtors‘ lists, land registers, registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from other companies of the Commerzbank Group or third parties (for example a credit bureau) to the extent necessary for rendering our services.
Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), legitimisation data (such as data from ID cards) and also authentication data (such as a specimen signature). In addition, these may also be contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions), information about your financial status (such as data on credit standing, data on scoring or rating, origin of assets), data relevant for loans (such as revenues and expenditures), advertising and sales data (including advertising scores), documentation data (such as a protocol on consultations) and other data comparable with the above-mentioned categories.
What is the purpose of processing your data (purpose of personal data processing) and on which legal basis does this take place?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG)
a) in order to comply with contractual obligations (Art. 6 (1 b) GDPR)
Data are processed for the purpose of providing and arranging banking services and financial services in connection with the performance of our agreements with our clients or for performing precontractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product (such as an account, a loan, home purchase savings plans, securities, deposits, agency services) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our General Terms and Conditions.
b) within the scope of the balancing of interests (Art. 6 (1 f) GDPR)
To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples:
- Consultation of and exchange of data with credit bureaus (such as SCHUFA) so as to determine credit standing or default risks in connection with loans and the requirements in connection with exemption from seizure or basic accounts,
- analysis and optimisation of processes for needs analysis for the purpose of the direct approach of clients,
- advertising or market and opinion research unless you have objected to the use of your data,
- lodging legal claims and defence in case of legal disputes,
- ensuring IT security and the IT operation of the bank,
- prevention and investigation of criminal acts,
- video surveillance to exercise domiciliary rights, to collect evidence in case of attacks or fraud or as proof of disposals and deposits, for example at ATMs (also see Sec. 4 BDSG),
- measures for securing buildings and systems (such as admission control),
- measures to protect our domiciliary right,
- measures for business management and advanced development of services and products,
- risk management within the Commerzbank Group.
c) as a result of your consent (Art. 6 (1 a) GDPR)
To the extent you have consented to the processing of personal data by us for certain purposes (such as passing on data within the Commerzbank Group, analysis of payment transaction data for marketing purposes, photographs taken in connection with events, mailing newsletters), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.
d) on the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)
Moreover, we, as a bank, are subject to various legal obligations, i.e. statutory requirements (such as the Banking Act, the Law on Money Laundering, the Securities Trading Act, tax laws) and regulations relating to the supervision of banking (e.g. of the European Central Bank, the European Banking Supervisory Agency, the German Federal Bank and the Federal Agency for the Supervision of Financial Services). The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the bank and in the Commerzbank Group.
Who will receive my data?
Within the bank, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes on the condition that they, specifically, observe banking secrecy. These are companies in the categories banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation as well as sales and marketing.
As far as passing on data to recipients outside our bank is concerned, it must first be kept in mind that we, as a bank, are obliged to keep all client-related facts and assessments we become aware of in strict confidence (banking secrecy pursuant to no. 2 of our General Terms and Conditions). As a matter of principle, we may pass on information about our clients only if this is required by law, the client has given his consent or we have been granted authority to provide a bank reference. Under these circumstances, recipients of personal data may, for example, be:
- Public authorities and institutions (such as the European Central Bank, the European Banking Supervisory Agency, the German Federal Bank, the Federal Agency for the Supervision of Financial Services, tax authorities, authorities prosecuting criminal acts, family courts, land register authorities), provided a statutory obligation or an official decree is in place,
- other loan and financial services institutes or comparable institutes to whom we transmit your personal data for the purpose of performing transactions under our business relationship (depending on the agreement, for example, correspondent banks, depositary banks, stock exchanges, information bureaus),
- other companies belonging to the Commerzbank Group for the purposes of risk management on the basis of statutory or official obligations,
- creditors or liquidators submitting queries in connection with a foreclosure,
- service providers in connection with credit or bank cards or businessmen submitting queries if payment by card is denied,
- third parties involved in loan granting processes (such as insurance companies, building societies, investment companies, funding establishments, trustees, service providers carrying out value assessments),
- partners in the credit card business (such as American Express, Tchibo, Deutsche Bahn, TUI),
- service providers whom we involve in connection with contract data processing relationships.
Other recipients of data may be those bodies for which you have given us your consent to data transfer or, respectively, for which you have granted an exemption from banking secrecy on the basis of an agreement or consent or to which we may transfer personal data on the basis of the balancing of interests.
Will the data be transferred to a third country or an international organisation?
Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent
- this is required to carry out your orders (such as payment or securities orders),
- it is required by law (such as obligatory reporting under tax law) or
- you have given your consent.
Moreover, transfer to bodies in third countries is intended in the following cases:
- If necessary in individual cases, your personal data may be transmitted to an IT service provider in the United States or in another third country to ensure that the IT department of the bank remains operative, observing the European data protection rules.
- With the consent of the data subject the personal data of parties interested in bank products can be processed in the course of a CRM system also in the United States.
- With the consent of the data subject or as a result of statutory provisions on controlling money laundering, the financing of terrorism and other criminal acts and within the scope of the balancing of interests, personal data (such as legitimisation data) will be transmitted, observing the data protection level of the European Union.
For how long will my data be stored?
We process and store your personal data as long as this is required to meet our contractual and statutory obligations. In this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.
If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes:
- Compliance with obligations of retention under commercial or tax law which, for example, may result from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Law on Money-Laundering (GwG) and the German Law on Trading in Securities (WpHG). As a rule, the time limit specified there for retention or documentation is 2 to 10 years.
- Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Secs. 195 et seqq. of the German Civil Code (BGB), these statutes of limitations may be up to 30 years, the regular statute of limitation being 3 years.
What are my rights with regard to data protection?
Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).
Your consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.
Am I obliged to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.
Under the statutory regulations in connection with money laundering, we are especially obliged to identify you by an ID document before entering into business relations with you and, especially, to ask for and record your name, place of birth, date of birth, nationality, address and identity card details. So as to enable us to comply with these statutory obligations, you are obliged to provide the necessary information and documents in connection with the anti-money laundering law and to report any changes that may occur in the course of our business relationship. If you should fail to provide the necessary information and documents, we are not permitted to enter into the desired business relationship or to continue with such a relationship.
To what extent will decision-making be automated?
As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR for establishing and performing a business relationship. In the event that we should use such processes in individual cases (for example when applying for credit cards) we will inform you of this and of your rights in this respect separately if prescribed by law.
Will profiling take place?
Your data will be processed automatically in part with the objective of evaluating certain personal aspects (profiling). For example, we will use profiling of the following cases:
- As a result of statutory and regulatory regulations, we are obliged to fight money laundering, the financing of terrorism and criminal acts jeopardising property. In that respect, data (among others, data in payment transactions) will be analysed. These measures also serve to protect you.
- So as to be able to inform you selectively about our products and to provide advice to you, we use analysis tools. These permit communication according to your needs and advertising including market and opinion research.
- In connection with the assessment of your credit-worthiness we use scoring. By scoring the probability of a client meeting his/her contractual payment obligations is calculated. This calculation, for example, may take into account a client‘s income and expenditures, existing financial obligations, the profession, employer, time of employment, previous experience from the business relationship, due redemption of earlier loans as well as information from credit bureaus. Scoring is based on a proven and recognised mathematical-statistical method. The resulting score values assist us in decision-making in connection with product transactions and will become part of the ongoing risk management.
Information about your right to object pursuant to Article 21 GDPR
Right to object based on individual cases
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests); this also applies for profiling as defined in Article 4 point 4 GDPR.
If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
Right to object to processing data for the purpose of direct marketing
In individual cases, we will process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling to the extent it is connected to such direct marketing.
If you do object to processing for the purposes of direct marketing, we will refrain from using your personal data for such purposes henceforth.
Recipient of an objection
Such objection may be submitted informally under the heading "objection" indicating your name, your address and your date of birth and should be addressed to:
Kaiserplatz, 60261 Frankfurt am Main
Telefon: +49 69 98 66 02 08
Information to print
1 e.g. authorised representatives, potential customers of products, non-customers such as providers of third-party collateral