Notes on data protection at Fidor Bank AG

I. Privacy policy for the website of Fidor Bank AG

II. Data protection information according to Art. 13, 14 GDPR of Fidor Bank AG 

 

 

Privacy policy for the website of Fidor Bank AG

1. General information and principles of data processing

We are pleased that you are visiting our website. The protection of your privacy and the protection of your personal data, the so-called personal data, when using our website is important to us.

According to Art. 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person. This includes, for example, information such as your first and last name, your address, your telephone number, your e-mail address, but also your IP address.

Data that cannot be related to your person, such as through anonymisation, are not personal data. Processing (e.g. collection, storage, reading, retrieval, use, transmission, deletion or destruction) pursuant to Art. 4 No. 2 GDPR always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose of the processing has been achieved and there are no longer any statutory storage obligations to be met.

Here you will find information about the handling of your personal data when you visit our website. In order to provide the functions and services of our website, it is necessary for us to collect personal data about you.

We also explain to them the type and scope of the data processing, the purpose and the corresponding legal basis and the respective storage period.

This privacy policy only applies to this website under the domain fidor.de. It does not apply to other websites to which we merely refer through a hyperlink. We cannot be responsible for the confidential treatment of your personal information on these third party websites as we have no control over whether these companies comply with the privacy policy. Please inform yourself about the handling of your personal data by these companies directly on these web pages    

 

2. Who is responsible for data processing?

Responsible for the processing of your personal data is the

Fidor Bank AG

Sandstr. 33 | 80335 Munich | Germany

Head Office: +49 89 189 085 233
Fax: +49 89 189 085 199

E-mail: info@fidor.de
Internet: www.fidor.de

Represented by the Board of Directors: Pascal Cirelli

 

3. How can you contact our Data Protection Officer?

If you have any questions regarding data protection, you can also contact our Data Protection Officer at any time:

Dr. Georg Schröder, LL.M.
Data Protection Officer

HEUSSEN Rechtsanwaltsgesellschaft mbH

Brienner Straße 9| 80333 Munich

Tel.: +49 89 29 09 70
Fax: +49 89 290 97 200

E-mail: datenschutz@fidor.de

 

4. Provision and use of the website / server log files

a) Nature and extent of the data processing       

If you use this website without transmitting data to us in any other way (e.g. by registration or use of the contact form), we collect technically necessary data via server log files, which are automatically transmitted to our server, among other things:

  • IP address
  • Date and time of the request
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • Access status/HTTP status code
  • Browser type
  • Language and version of the browser software
  • Operating system

 

b) Purpose and legal basis

This processing is technically necessary in order to be able to display our website to you. We also use the data to ensure the security and stability of our website.

The legal basis for this processing is Art. 6 para. 1 lit. f) GDPR. The processing of the mentioned data is necessary for the provision of a website and thus serves the protection of a legitimate interest of our company    
 

c) Storage period

As soon as the personal data mentioned is no longer required to display the website, it will be deleted. The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Consequently, there is no possibility for the user to object to this aspect. A further storage can take place in individual cases, if this is legally prescribed.

 

5. Use of cookies

a) Nature, extent and purpose of the data processing

We use cookies to facilitate and improve the use of our website. Cookies are small files containing text information that are stored on a computer when a website is visited via the web browser. This serves the recognition of a session, for example when logging in permanently to a website.

Some functions of our website cannot be offered without the use of technically necessary cookies. Other cookies, on the other hand, allow us to perform various analyses. For example, some cookies may recognise the browser you are using when you return to our website and transmit various information to us. We use cookies to facilitate and improve the use of our website. For example, we can use cookies to make our website more user-friendly and effective for you by, for example, tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser. However, cookies do not damage your terminal device. They cannot run programs or contain viruses. Various types of cookies are used on our website, the nature and function of which are explained below.

 

Temporary cookies / session cookies

So-called temporary cookies or session cookies are used on our website, which are automatically deleted as soon as you close your browser. This type of cookie makes it possible to record your session ID. This makes it possible to assign different requests from your browser to a common session and it is possible to recognise your terminal device during later website visits.

 

Permanent cookies

So-called permanent cookies are used on our website. Permanent cookies are cookies that are stored in your browser for a longer period of time and can transmit information. The respective storage period varies depending on the cookie. You can delete permanent cookies independently via your browser settings.

 

Third-party cookies

We use analytical cookies to monitor anonymous user behaviour on our website.

We also use advertising cookies. These cookies can be used to track user behaviour for advertising and targeted marketing purposes.

Social media cookies allow you to connect to your social networks and share content from our website within your networks.

 

Configuration of browser settings

Most web browsers are preset to accept cookies automatically. However, you can configure your browser so that it only accepts certain cookies or no cookies at all. However, we would like to point out that you may then no longer be able to use all the functions of our website.

You can also delete cookies already stored in your browser via your browser settings. It is also possible to set your browser so that it notifies you before cookies are stored. Since the different browsers can differ in their respective functionalities, we ask you to use the respective help menu of your browser for the corresponding configuration options.

Disabling the use of cookies may require the storage of a permanent cookie on your computer. If you subsequently delete this cookie, you must deactivate it again.

 

b) Legal basis

Due to the purposes described, the legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f) GDPR. If you have given us your consent to the use of cookies on the basis of a notice ("cookie banner") provided by us on the website, the legal basis is also Art. 6 para. 1 lit. a) GDPR.

 

c) Storage period

As soon as the data transmitted to us via cookies is no longer required for the purposes described above, this information is deleted. A further storage can take place in individual cases, if this is legally prescribed.

 

6. Data collection for the implementation of pre-contractual measures and for the fulfilment of contracts

a) Nature and extent of the data processing

In the pre-contractual area and at contract conclusion we collect personal data about you. This applies, for example, to first and last name, address, e-mail address, telephone number or bank details.

 

b) Purpose and legal basis of data processing

We collect and process this data exclusively for the purpose of executing the contract or fulfilling pre-contractual obligations. The legal basis for this is Art. 6 (1) (b) GDPR. If, in addition, you have given your consent, the additional legal basis is Art. 6 para. 1 lit. a) GDPR.

 

c) Storage period

The data shall be deleted as soon as they are no longer necessary for the purpose of their processing.

In addition, there may be legal storage obligations, for example commercial or fiscal storage obligations according to the German Commercial Code (HGB) or the German Tax Code (AO). If such storage obligations exist, we block or delete your data at the end of these storage obligations.

 

7. Registration option

a) Nature and extent of the data processing

You can register on our website. When you register, we collect and store the data you enter in the input mask (e.g. last name, first name, e-mail address). A passing on to third parties does not take place.

 

b) Purpose and legal basis of data processing

Your registration is required for the use of certain content and services on our website or for the performance of a contract or for the implementation of pre-contractual measures. After registration, you are free to modify the personal data provided during registration at any time or to have them completely deleted from the database of the data controller. In the case of consent, the legal basis for processing is Art. 6 para. 1 lit. a) GDPR. If your registration serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b) GDPR is the additional legal basis  


c) Storage period

The data collected during registration are stored by us as long as you are registered on our website and are then deleted. Legal retention periods remain unaffected. The data collected during registration are stored by us as long as you are registered on our website and are then deleted. In addition, your registered personal data will be deleted if you delete your user account on our website. If your registration data and other data are necessary for the performance of a contract to which you are a party, or for the implementation of pre-contractual measures, the data will only be deleted when they are no longer required for the performance of the contract or the implementation of pre-contractual measures. Legal retention periods remain unaffected.

 

8. Application possibility   
a) Type and scope of data processing

You can apply on our website or by e-mail. When you apply, we collect and store the data that you enter into the input mask or that you send us by e-mail.

 

b) Purpose and legal basis
We process your data only for the purpose of processing your application.
A passing on to third parties does not take place. The legal basis for the processing is Art. 88 Para. 1 GDPR in connection with § 26 BDSG (German Federal Data Protection Act) and additionally Art. 6 para. 1 lit. b) GDPR.

If you give us your consent to be included in our applicant pool, the legal basis is Art. 6 para. 1 lit. a) GDPR.

 

c) Storage period

If we are unable to offer you a job, we will store your data for a maximum of six months after completion of the application process, taking into account Section 61b Paragraph 1 ArbGG (German Law on Employment) in conjunction with Section 15 AGG (General Equal Treatment Act). The start of the period is the date of receipt of the letter of refusal.

If you have given us your consent to be included in our applicant pool, we will store your data for a maximum of two years.

 

d) Data transfer

Your data will only be sent to those departments that are involved in the decision (responsible personnel or specialist departments, management, works council). In addition, we may be obliged to transfer your data to public bodies and institutions (e.g. public prosecutors, police, supervisory authorities, tax authorities, social insurance institutions, etc.).

Other data recipients may be those for whom you have given us your consent for data transmission.

 

9.
Comment function
a) Type and scope of data processing

On our website you can write and comment articles. If you write or comment on a contribution, we collect and store the data you enter in the input mask. In addition to the comments you leave, we also store and publish information about the time you enter your comments and any user names (pseudonyms) you have chosen. Furthermore, the IP address assigned to the person concerned by the Internet Service Provider (ISP) is stored. A passing on to third parties does not take place.

 

b) Purpose and legal basis

The data transmitted by you (e.g. the IP address) is for security reasons and in the event that the person concerned violates the rights of third parties by submitting a comment or posts illegal content.

This collected personal data will not be passed on to third parties unless such a passing on is prescribed by law or serves the legal defence of the controller.

The legal basis for the processing of personal data transmitted when using the comment function is Art. 6 para. 1 lit. a) GDPR, if and to the extent that you have given your consent. You can revoke this consent at any time. The legality of the data processing operations that have already taken place remains unaffected by the revocation. Another legal basis is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in the processing if third party rights are violated or illegal content is posted. This serves the security, if someone writes illegal contents in comments and contributions (insults, forbidden political propaganda etc.)

 

c) Storage period

The comments and the associated data (e.g. IP address) are stored and remain on our website until the commented content has been completely deleted or the comments have to be deleted for legal reasons.

 

10. Contact possibilities by e-mail

You can contact us via e-mail on our website.

 

a) Nature and extent of the data processing       

You can contact us by e-mail. Our data collection is limited to the e-mail address of the e-mail account used by you to contact us and to the personal data that you have made available to us at any time during the contact process.

 

b) Purpose and legal basis

The purpose of the data processing is the possibility to answer your request properly. The legal basis for this is Art. 6 para. 1 lit. f) GDPR. There is a justified interest in the processing of the above-mentioned personal data in order to be able to process your request properly.

 

c) Storage period        

The duration of the storage of the above data depends on the background of your contact. Your personal data will be deleted on a regular basis if the purpose of the communication no longer applies and storage is no longer necessary. This can result, for example, from a processing of your request.

 

11. Newsletter

a) Nature and extent of the data processing

On our website you have the possibility to subscribe to a free regular e-mail newsletter in order to send you the newsletter regularly, we need your e-mail address from you.

In connection with the newsletter dispatch a passing on of your data takes place if necessary to our newsletter service provider who is active in the way of the order processing for us; a passing on beyond that to third parties does not take place.

For the newsletter dispatch we use the so-called double opt-in procedure.

This means that we will not send you an e-mail newsletter until you have expressly confirmed that you agree to receive the newsletter. We will then send you a confirmation e-mail asking you to confirm that you wish to receive future newsletters from us by clicking on the appropriate link.

This serves to ensure that only you yourself as the owner of the e-mail address provided can register for the newsletter. Your confirmation must be sent promptly after receipt of the confirmation e-mail, otherwise your newsletter subscription will be automatically deleted from our database.

When you subscribe to the newsletter, we collect and store the data you enter in the input mask (e.g. last name, first name, e-mail address).

When you register for the newsletter, we also save your IP address entered by the Internet Service Provider (ISP) as well as the date and time of registration in order to be able to track any possible misuse of your e-mail address at a later point in time. In the confirmation e-mail sent for control purposes (double opt in the e-mail), we also store the date and time of the click on the confirmation link and the IP address registered by the Internet Service Provider (ISP).

 

b) Purpose and legal basis
The data collected by us when registering for the newsletter will be used exclusively for the purpose of advertising the newsletter.

In accordance with Art. 6 Para. 1 lit. a) GDPR and § 7 Para. 2 No. 3 UWG (German Unfair Competition Act), the processing of your e-mail address for newsletter dispatch is based on the declaration of consent voluntarily given by you in the following and revocable at any time for the future. In addition, the processing is based on Art. 6 para. 1 lit f) GDPR due to legitimate interests of us to document the evidence of the necessary consent.

 

c) Storage period

Your e-mail address will be stored as long as you have subscribed to the newsletter. After unsubscribing from the newsletter your e-mail address will be deleted unless you have expressly consented to further use of your data.

 

12. Social plugins

As a user of our website, we would like to give you the opportunity to use social networks (social media platforms).

a) Facebook

We currently use the following social plug-in from Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (hereinafter "Facebook"):

- Facebook button "Share" (Share button; recognisable by the Facebook logo and the addition "Share"; for more information see developers.facebook.com/docs/plugins/share-button)

When you visit a page on our Web site that contains such a plug-in, your browser connects directly to Facebook's servers in the United States and transmits data to Facebook. This is the case even if you do not click on the respective button and does not require that you have created an account on Facebook.

We have no control over what data is specifically collected and transmitted and how Facebook processes or uses it. As far as we can trace it, Facebook receives, among other things, the information that your browser has called up the respective page of our website, including date and time, if applicable, as well as other browser- or device-related information, the assigned IP address, if applicable, and the information that you have clicked the share button. Facebook also uses cookies. The information is stored by Facebook in the USA and assigned to your Facebook profile. The information that you have clicked the share button regarding the respective web page from us will be published in your Facebook profile and displayed to your Facebook friends.

Facebook is exclusively responsible for the collection, processing and use of your data. Further information from Facebook about the collection, processing and use of your data by Facebook can be found at the Internet address www.facebook.com/privacy/explanation and at the Internet address developers.facebook.com/docs/plugins/faqs. We are not responsible for the information on Facebook.

If you do not want Facebook to associate the information with your Facebook profile, you may not sign in to or log out from the social media platform Facebook. If you are logged out and click on the respective button, a pop-up window appears in which you can log in to Facebook.

 

b) Twitter

We currently use the following social plug-ins from Twitter, Inc. 1355 Market St, Suite 900, San Francisco, CA 94103, USA:

- Twitter button "Tweet" (Twitter share button; see https://dev.twitter.com/web/tweet-buttonfor details).

If you maintain an account with Twitter, Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA is responsible for account holders domiciled in the United States and Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland is responsible for account holders domiciled outside the United States (hereinafter both together "Twitter").

When you visit a page on our Web site that contains the Twitter plug-in, your browser connects directly to Twitter's servers in the United States and transmits data to Twitter. If you are logged on to Twitter at this time, your visit to our website and other data can be assigned to your Twitter account and stored on Twitter. Even if you do not have a Twitter account, Twitter may store and use your IP address.

We have no influence on what data is specifically collected and transmitted and how Twitter processes or uses it.

Twitter is solely responsible for the collection, processing and use of your data. Further information from Twitter about the collection, processing and use of your data by Twitter can be found in Twitter's privacy policy at the Internet addresstwitter.com/en/privacy. We take no responsibility for the information on Twitter. Twitter states the following in its privacy policy (Status: 18. June 2017):

"Based on your visits to third-party websites that contain Twitter content such as embedded timelines or tweet buttons, we may tailor our services to you. When you view our content on these websites, we may receive log information that includes the web page you visited. We never link your web activity to your name, email address, telephone number or Twitter username, and we delete, disguise or aggregate them after a maximum of 30 days. We may use interests or other information that we derive from this information to improve our services and tailor content to you, such as follow suggestions, advertisements, or other content that may be of interest to you. You can view and control the interests we use to personalise your experience in your Twitter data at https://twitter.com/your_twitter_data. You can also set your personalisation and privacy preferences to allow us to track your visits to websites with Twitter content. These can be found at  https://twitter.com/personalization.

 

c) LinkedIn

We would like to inform you about the processing of personal data via the function of the InShare button of LinkedIn.

You can recognise the button by the sign "in" and the addition "Share" (more information at https://developer.linkedin.com/plugins/share).

According to LinkedIn, LinkedIn receives information about your visits and interactions with services provided by third parties when you log in through LinkedIn or visit third party services that contain the InShare button.

We have no influence on which data is specifically collected and transmitted and how LinkedIn processes or uses it.

LinkedIn is solely responsible for the collection, processing and use of your data. Further information from LinkedIn about the collection, processing and use of your data by LinkedIn can be found at the Internet address https://www.linkedin.com/legal/privacy-policy. We assume no responsibility for the information provided by LinkedIn.

If you do not want LinkedIn to associate the information with your LinkedIn profile, you may not register or log out of the LinkedIn social media platform. If you are logged out and click on the respective button, a pop-up window appears in which you can log in to LinkedIn.
 

d) Legal basis

The legal basis for the collection and processing of the data is Art. 6 para. 1 letter f GDPR. Through the social plug-ins we offer you the possibility to interact with social networks and other users, so that we can improve our offer and make it more interesting for you as a user 

The respective provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research and/or the design of its website to meet requirements. Such evaluation is carried out in particular (also for users who are not logged in) in order to display demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective provider to exercise this right.

The US providers Facebook, Twitter and LinkedIn have a transmission in the USA. They have submitted to the EU-US Privacy Shield: http://www.privacyshield.gov/EU-US-Framework

 

13. Social Media Platforms

We also integrate social media platforms partly via links behind the respective logo graphics of the provider of the social media platform. Here, no data is automatically transferred to the providers, but only when you want to switch to the social media platform and actively click on the link. We have no influence on which data is collected and transmitted and how the providers process or use it. The providers are solely responsible for data processing after forwarding; further information can be found in their data protection declarations. We assume no responsibility for the information provided by the providers.

Social media platforms that we integrate in this way are currently:

  • Facebook: Provider: Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: www.facebook.com/policy.php
  • Twitter:Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA: www.twitter.com/privacy
  • YouTube: Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA ("Google"). You can find more information about data protection at Google here: https://www.google.de/intl/de/policies/privacy.
  • SlideShare: Provider: Within the EU / EEA: LinkedIn Ireland Unlimited Company, outside LinkedIn Corporation. Further information on data protection at SlideShare can be found at the Internet address https://www.linkedin.com/legal/privacy-policy
  • Instagram: Provider: Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook"). You can find more information about data protection on Facebook at the Internet address: www.facebook.com/privacy/explanation.  

 

14. Tracking and analysis tools

We use tracking and analysis tools to ensure continuous optimisation and design of our website to meet your needs. Through the use of tracking and analysis measures, it is also possible for us to statistically record the use of our website by visitors and to further develop our online presence for you through the knowledge gained thereby.

We have a legitimate interest in this, which justifies the use of the following tracking and analysis tools pursuant to Art. 6 para. 1 lit. f) GDPR.

If you have given us your consent to the use of cookies on the basis of a notice ("cookie banner") provided by us on the website, the legality of the use is additionally governed by Art. 6 para. 1 lit. a) GDPR.

Our website uses the following analysis and tracking tools, which are described here Analysis and Tracking Tools.

 

15. Credit bureaus

We make use of the services of credit agencies (e.g. SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany https://www.schufa.de/de/datenschutz-dsgvo/), Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss, Germany (the data protection declaration of Creditreform Boniversum GmbH can be found here https://www.boniversum.de/eu-dsgvo/informationen-nach-eu-dsgvo-fuer-verbraucher/) within the framework of the entire business relationship with you, insofar as this is necessary and permissible to safeguard our legitimate interests or the legitimate interests of third parties or to fulfil statutory obligations. This includes in particular:

 

  • Transmission of the data collected from you concerning the application, execution and termination of                  business relations as well as data concerning non-contractual behaviour or fraudulent behaviour.
  • Data exchange to determine creditworthiness or default risks and the requirements for the garnishment protection account or base account.
  • Measures to prevent money laundering and terrorist financing or the prevention and investigation of criminal offences.

 

The information obtained from the credit agencies forms the basis for the decision on credit applications (including credit cards) and serves to minimise financial risks for all parties involved. Information can also be obtained outside a credit request, e.g. when opening an account and issuing debit cards, if this is necessary to reduce financial risks.

It is also possible that the decision on the opening of an account or the credit application is automatically taken by the computer system on the basis of the information obtained. Negative information leads to a rejection of the account opening, the card application or the credit application.

 

16. What rights do you have with regard to data protection?

Here you will find your rights regarding your personal data. Details can be found in Articles 7, 15-22 and 77 GDPR. You can contact the responsible office (point 1) or the Data Protection Officer (point 2) in this regard.

a)   Right to revoke your data protection consent pursuant to Art. 7 Para. 3 S. 1 GDPR

You can revoke your consent to the processing of your personal data at any time with effect for the future. However, this shall not affect the lawfulness of the processing carried out until revocation.

 

b) Right   to information pursuant to Art. 15 GDPR

You have the right to request confirmation as to whether we process any personal data concerning you. If this is the case, you have the right to information about this personal data as well as other information, e.g. the processing purposes, the recipients and the planned duration of storage or the criteria for determining the duration.

 

c)   Right to rectification and completion pursuant to Art. 16 GDPR

You have the right to demand the correction of incorrect data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete data.

 

d)   Right to cancellation ("right to be forgotten") pursuant to Art. 17 GDPR

You have the right to delete the data if processing is not necessary. This is the case, for example, if your data is no longer necessary for the original purposes, if you have withdrawn your declaration of consent under data protection law or if the data have been unlawfully processed.

 

e)   Right to limitation of processing pursuant to Art. 18 GDPR

You have the right to limit the processing, e.g. if you are of the opinion that the personal data is incorrect.

 

f)    Right to data transferability pursuant to Art. 20 GDPR

You have the right to receive your personal data in a structured, common and machine-readable format.

 

g)   Automated decision in individual cases including profiling pursuant to Art. 22 GDPR

They have the right not to be subject to a decision based exclusively on automated processing, including profiling, except in the exceptional circumstances mentioned in Art. 22 GDPR.

 

An automated decision making including profiling does not take place with us. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

 

h)   Complaint to a data protection supervisory authority pursuant to Art. 77 GDPR

You can also file a complaint with a data protection supervisory authority at any time, for example if you believe that the data processing does not comply with data protection regulations.

 

The competent data protection supervisory authority is the following:

Bavarian State Office for Data Protection Supervision

P.O. Box 606

91511 Ansbach

Germany

Telephone: +49 (0) 981 53 1300

Fax: +49 (0) 981 53 98 1300

E-mail: poststelle@lda.bayern.de

Homepage: http://www.lda.bayern.de

 

17 Which data are you obliged to provide?

As part of our business relationship, you must provide the personal information necessary to establish and conduct a business relationship and to fulfil the contractual obligations associated therewith, or which we are required by law to collect. Without this information, we will generally not be able to enter into or execute the contract with you.

If you are authorised to represent us, you must provide us with the personal data that are necessary for the collection and execution of a representation/authorisation and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we usually have to reject you as an authorised representative/authorised representative or cancel an existing authorisation/authorisation.

In particular, we are obliged under the provisions of money laundering law to identify you on the basis of your identification document before establishing the business relationship or the power of representation/authorisation and to collect and record your name, place of birth, date of birth, nationality, address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not establish or continue the business relationship you have requested or set up or continue the power of representation/authorisation you have requested.

 

18 Is profiling taking place?

We partially process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

 

  • Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and property-threatening crimes. Data evaluations are also carried out (e.g. in payment transactions). These measures also serve to protect you.
  • In order to be able to provide you with targeted information and advice on products, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research.
  • We use scoring to assess your creditworthiness. The probability with which a customer will meet its payment obligations in accordance with the contract is calculated. For example, income, expenses, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit agencies can be included in the calculation.

 

The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated scores support us in making decisions in the context of product closures and are included in ongoing risk management.

 

19. Information on the right of objection under Article 21 GDPR

Right of objection in individual cases

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you carried out pursuant to Article 6 para. 1 letter e) GDPR (data processing in the public interest) and Article 6 para. 1 letter f) GDPR (data processing on the basis of a balancing of interests), including profiling based on this provision within the meaning of Article 4 No. 4 GDPR.

If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

 

Right to object to the processing of data for direct marketing purposes

In individual cases we process your personal data in order to operate direct advertising. You have the right at any time to object to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling in so far as it is connected with such direct advertising.

If you object to the processing for purposes of direct marketing, we will no longer process your personal data for these purposes.

 

Addressee of an opposition

The objection can be made without form (best with the subject "Objection") under indication of your name, your address and your date of birth and should be addressed to:

 

Fidor Bank AG

Sandstr. 33 | 80335 Munich | Germany

Head Office: (089) 189 085 233

Fax: (089) 189 085 199

E-mail: info@fidor.de

 

[Last updated: February 2019]

Data protection information according to Art. 13, 14 GDPR of Fidor Bank AG

Our activities also require the collection and processing of personal data. Below we would like to give you a brief overview of how your personal data is processed by us and what rights you are entitled to under the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Which data is processed in detail and how it is used depends largely on the services requested or agreed, so you may not be concerned with information in this document.

Please also pass on the information to current and future authorised representatives and beneficial owners as well as any co-obligated parties of a loan. These include, for example, beneficiaries in the event of death, authorised signatories or guarantors.

 

1. Who is responsible for data processing?

Responsible for the processing of your personal data is the

 

Fidor Bank AG

Sandstr. 33 | 80335 Munich | Germany

Head Office: (089) 189 085 233

Fax: (089) 189 085 199

E-mail: info@fidor.de

Internet: www.fidor.de

Represented by the Board of Directors: Pascal Cirelli

 

2. How can you contact our Data Protection Officer?

If you have any questions regarding data protection, you can also contact our Data Protection Officer at any time:

 

Dr. Georg Schröder, LL.M.

Data Protection Officer

HEUSSEN Rechtsanwaltsgesellschaft mbH

Brienner road 9

80333 Munich

Tel.: +49 89 29 09 70

Fax: +49 89 290 97 200

E-mail: datenschutz@fidor.de

 

3. Which data do we use and from which sources do they originate?

We collect your personal data when you contact us, e.g. as an interested party, authorised representative, applicant or customer. That is: In particular, if you are interested in our products, submit applications or use our products and services within the framework of an existing business relationship. In addition, we process – to the extent necessary for the provision of our services – personal data which we obtain from publicly accessible sources (e.g. debtor directories, land registers, commercial and association registers, press, Internet, transparency registers) or which are transmitted to us by other companies of the Fidor Bank Group or by other third parties (e.g. a credit agency) with permission.

Relevant personal data in the interested party process, when entering master data, in the course of authorisation, as co-obligated party of a loan (e.g. guarantor), etc. can be: Personal data (name, address and other contact details (mainly e-mail address, telephone number), date and place of birth and nationality, marital status, gender, legal capacity, occupational group, employer if applicable and type and duration of employment relationship, residential status (property/rent), identification data (e.g. ID card data), authentication data (e.g. signature sample), tax ID, SCHUFA score, FATCA status and EU basic account identification.

In addition, this may also include the following types of data: Order data (e.g. payment order), data from the fulfilment of our contractual obligations (e.g. turnover data in payment transactions), tax information, information on your financial situation (e.g. creditworthiness data, scoring rating data, origin of assets, income/surplus calculations, balance sheets, business analyses, etc.), information and records on knowledge and/or experience with securities, interest rate and currency products/money investments (MiFID status: (e.g. land register excerpts, property valuations), advertising and sales data (including advertising scores, information on participation in direct marketing measures, contact channel, date, occasion and result of the consultation, (electronic) copies of correspondence, newsletter opt-in (this is saved during the double opt-in process): IP address, date and time of registration and date and time of clicking on the confirmation link in the confirmation e-mail and IP address), community data (data that you share with other customers and the public within the Fidor community, such as your questions/answers, profile information, photo, etc.), documentation data (e.g. consultation protocol) and other data comparable to the categories mentioned.

 

4. For what purposes will your data be processed and on what legal basis?

We process personal data in accordance with the provisions of the European Data Protection Basic Regulation (GDPR) and the Federal Data Protection Act (BDSG):

 

a) For the fulfilment of contractual obligations (Art. 6 para. 1 letter b) GDPR)

The processing of personal data is carried out to provide banking transactions and financial services within the framework of the execution of our contracts with our customers or to carry out pre-contractual measures, which take place at your request.

The purposes of data processing depend primarily on the specific product you are using (e.g. account, credit, etc.) and may include, but are not limited to, needs analyses, advice, asset management and support, and the execution of transactions. Further details for the purpose of data processing can be found in the respective contract documents and terms and conditions. Within the scope of fulfilling contractual obligations, data is also exchanged with credit card providers if a credit card is applied for and made available via Fidor Bank AG. This also includes automatic data exchange as part of the Mastercard Automatic Billing Updater (ABU) database to minimise the rejection of card payments when credit card data expires or changes are made.

 

b) In the context of balancing interests (Art. 6 para. 1 letter f) GDPR)

If necessary, we process your data beyond the fulfilment of contractual obligations to protect the legitimate interests of us or third parties.

Examples of this are:

  • Consultation and data exchange with credit agencies (e.g. SCHUFA, Creditreform Boniversum GmbH*) to determine creditworthiness and default risks in the credit business,
  • Testing and optimisation of procedures for needs analysis
  • for the purpose of direct customer contact, advertising or market and opinion research, provided that you have not objected to the use of your data,
  • Assertion of claims and defence in legal disputes,
  • Ensuring the IT security and IT operations of our company and its contractual partners,
  • Prevention and investigation of criminal offences,
  • Video surveillance to ensure building and plant safety and the safety of our employees,
  • Measures for building and plant security (e.g. access controls),
  • Measures for business management and further development of services and products,
  • Risk management in our company and in affiliated companies.

 

c) Based on your consent (Art. 6 para. 1 letter a) GDPR)

If you have given us your consent to the processing of personal data for certain purposes (e.g. use of telephone and e-mail or postal address for advertising purposes, dispatch of invitations to sales events or newsletters), the legality of this processing is given on the basis of your consent. A given consent can be revoked at any time. The revocation of the consent does not affect the legality of the data processed until the revocation.

 

d) To fulfil our legal obligations (Art. 6 para. 1 letter c) GDPR) or in the public interest (Art. 6 para. 1 letter e) GDPR)

As a bank, we must meet a wide range of legal requirements (e.g. under the German Banking Act (KWG), the Money Laundering Act (GwG), the Securities Trading Act (WpHG), tax laws (including the Fiscal Code (AO), Value Added Tax Act (UstG), Income Tax Act (EstG)) and banking supervisory requirements (e.g. the European Central Bank, the European Banking Supervisory Authority, the Deutsche Bundesbank and the Federal Financial Supervisory Authority). The purposes of processing include, but are not limited to, credit checks, identity and age checks, prevention of fraud and money laundering, compliance with tax control and reporting obligations, evaluation of your expertise, experience and knowledge of financial assets, and evaluation and management of risks to our company and its affiliates.

 

5. To whom will your data be transmitted?

Within our company, those departments that need your data to fulfil our contractual and legal obligations will have access to it.

We will only pass on your personal data to third parties if:

 

  • They have given their express consent in accordance with Art. 6 para. 1 letter a) GDPR.
  • this is legally permissible and required according to Art. 6 para. 1 letter b) GDPR for the fulfilment of a contractual relationship with you or the implementation of pre-contractual measures.
  • there is a legal obligation under Art. 6 para. 1 letter c) GDPR to pass on such information. We are legally obliged to transmit data to state authorities (e.g. financial authorities, financial supervision, tax authorities, criminal prosecution authorities).
  • The disclosure pursuant to Art. 6 para. 1 sentence 1 letter f) GDPR is necessary to safeguard legitimate business interests and to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data.
  • We use so-called contract processors in accordance with Art. 28 GDPR when processing us by external service providers who have been obliged to handle their data with care. We use such service providers primarily in the areas of IT, logistics, telecommunications, sales, marketing and debt collection.

 

A data transfer to places in states outside the European Union (so-called third states) takes place, insofar as

 

  • it is necessary for the execution of your orders (e.g. if a payment is to be made to an account-holding institution established in a third country),
  • it is required by law (e.g. tax reporting obligations), or
  • You have given us your consent.

 

When transferring your personal data to external entities in third countries, i.e. outside the EU or the EEA, we ensure that these entities treat your personal data with the same care as within the EU or the EEA. We only transfer personal data to third countries where the EU Commission has confirmed an adequate level of protection or where we ensure the careful handling of personal data through contractual agreements or other appropriate guarantees.

 

6. How long are your data stored?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. Please note that our business relationship with you may last for many years.

If the data are no longer necessary for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their – temporary – further processing is necessary for the following purposes:

 

  • Fulfilment of commercial and tax retention obligations: These include the German Commercial Code (HGB), the German Tax Code (AO) and the Money Laundering Act (GwG). The time limits for storage and documentation specified there are between two and ten years.
  • Preservation of evidence within the framework of the statutory statute of limitations. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

 

7. What rights do you have with regard to data protection?

Here you will find your rights regarding your personal data. Details can be found in Articles 7, 15-22 and 77 GDPR. You can contact the responsible office (point 1) or the Data Protection Officer (point 2) in this regard.

 

a)   Right to revoke your data protection consent pursuant to Art. 7 Para. 3 S. 1 GDPR

You can revoke your consent to the processing of your personal data at any time with effect for the future. However, this shall not affect the lawfulness of the processing carried out until revocation.

 

b) Right   to information pursuant to Art. 15 GDPR

You have the right to request confirmation as to whether we process any personal data concerning you. If this is the case, you have the right to information about this personal data as well as other information, e.g. the processing purposes, the recipients and the planned duration of storage or the criteria for determining the duration.

 

c)   Right to rectification and completion pursuant to Art. 16 GDPR

You have the right to demand the correction of incorrect data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete data.

 

d)   Right to cancellation ("right to be forgotten") pursuant to Art. 17 GDPR

You have the right to delete the data if processing is not necessary. This is the case, for example, if your data is no longer necessary for the original purposes, if you have withdrawn your declaration of consent under data protection law or if the data have been unlawfully processed.

 

e)   Right to limitation of processing pursuant to Art. 18 GDPR

You have the right to limit the processing, e.g. if you are of the opinion that the personal data is incorrect.

 

f)    Right to data transferability pursuant to Art. 20 GDPR

You have the right to receive your personal data in a structured, common and machine-readable format.

 

g)   Automated decision in individual cases including profiling pursuant to Art. 22 GDPR

They have the right not to be subject to a decision based exclusively on automated processing, including profiling, except in the exceptional circumstances mentioned in Art. 22 GDPR.

An automated decision making including profiling does not take place with us. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

 

h)   Complaint to a data protection supervisory authority pursuant to Art. 77 GDPR

You can also file a complaint with a data protection supervisory authority at any time, for example if you believe that the data processing does not comply with data protection regulations.

 

The competent data protection supervisory authority is the following:

 

Bavarian State Office for Data Protection Supervision

P.O. Box 606

91511 Ansbach

Germany

Telephone: +49 (0) 981 53 1300

Fax: +49 (0) 981 53 98 1300

E-mail: poststelle@lda.bayern.de

Homepage: http://www.lda.bayern.de

 

8. Which data are you obliged to provide?

As part of our business relationship, you must provide the personal information necessary to establish and conduct a business relationship and to fulfil the contractual obligations associated therewith, or which we are required by law to collect. Without this information, we will generally not be able to enter into or execute the contract with you.

If you are authorised to represent us, you must provide us with the personal data that are necessary for the collection and execution of a representation/authorisation and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we usually have to reject you as an authorised representative/authorised representative or cancel an existing authorisation/authorisation.

In particular, we are obliged under the provisions of money laundering law to identify you on the basis of your identification document before establishing the business relationship or the power of representation/authorisation and to collect and record your name, place of birth, date of birth, nationality, address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not establish or continue the business relationship you have requested or set up or continue the power of representation/authorisation you have requested.

 

9. Is profiling taking place?

We partially process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

 

  • Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and property-threatening crimes. Data evaluations are also carried out (e.g. in payment transactions). These measures also serve to protect you.
  • In order to be able to provide you with targeted information and advice on products, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research.
  • We use scoring to assess your creditworthiness. The probability with which a customer will meet its payment obligations in accordance with the contract is calculated. For example, income, expenses, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit agencies can be included in the calculation.

 

The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated scores support us in making decisions in the context of product closures and are included in ongoing risk management.

 

10. Information on the right of objection under Article 21 GDPR

Right of objection in individual cases

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you carried out pursuant to Article 6 para. 1 letter e) GDPR (data processing in the public interest) and Article 6 para. 1 letter f) GDPR (data processing on the basis of a balancing of interests), including profiling based on this provision within the meaning of Article 4 No. 4 GDPR.

If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

Right to object to the processing of data for direct marketing purposes

In individual cases we process your personal data in order to operate direct advertising. You have the right at any time to object to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling in so far as it is connected with such direct advertising.

If you object to the processing for purposes of direct marketing, we will no longer process your personal data for these purposes.

 

Addressee of an opposition

The objection can be made without form (best with the subject "Objection") under indication of your name, your address and your date of birth and should be addressed to:

 

Fidor Bank AG

Sandstr. 33 | 80335 Munich | Germany

Head Office: (089) 189 085 233

Fax: (089) 189 085 199

E-mail: info@fidor.de

 

Last updated: February 2019]

 

* Hellersbergstraße 11, 41460 Neuss, Germany