Our handling of your data and your rights
Information pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation – GDPR
We are very delighted that you have shown interest in our company. Data protection is of a particularly high priority for the management of Quirin Privatbank AG.
The processing of personal data will always be in line with the provisions of the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to Quirin Privatbank AG.
By means of this data protection information, our company would like to inform you about the nature, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed by means of this data protection declaration of the rights to which they are entitled.
With the following information, we would like to give you an overview on the processing of your personal data by us and on your rights under data protection law. Which data are processed in detail and how they are used depends largely on the services you request or agree to have provided. Please take note of the information applicable to you.
Who is responsible for data processing and whom can I contact?
Responsibility lies with:
Quirin Privatbank AG
Kurfürstendamm 119
10711 Berlin
info@quirinprivatbank.de
Free hotline:
+49 (0)800 0 80 40 10
You can reach our internal Data Protection Officer at:
Data Protection Officer
Quirin Privatbank AG
Kurfürstendamm 119
10711 Berlin
info@quirinprivatbank.com
The competent supervisory authority is:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
Puttkamerstr. 16 -18 (5tht floor)
10969 Berlin
Phone: 030/13889 0
Fax: 030/215 5050
General: Definitions
The data protection declaration of Quirin Privatbank AG is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public and for our clients and business partners. To ensure this, we would like to first explain the terminology used.
In this data protection declaration, we use, inter alia, the following terms:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is any identified or identifiable natural person, whose personal data are processed by the controller.
c) Processing
Processing is any operation or set of operations which is performed personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
f) Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of the processing are determined by Union or Member State law, the controller, or the specific criteria for its nomination, may be provided for by Union or Member State law.
h) Processor
Processor is a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
i) Recipient
Recipient is a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities, which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law, shall not be regarded as recipients.
j) Third party
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
k) Consent
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
What sources and data do we use?
We process personal data, which we receive from our clients or other data subjects in the context of our business relationship. We also process personal data legitimately obtained from publicly accessible sources (e.g. debtor registers, land registers, commercial registers and registers of associations, press, Internet) or which have been legitimately transmitted to us from other third parties (e.g. Federal Central Tax Office or credit agency) to the extent necessary for rendering our services.
Relevant personal data collected in dealing with prospective clients, master data set-up, in the context of a power of attorney (account and securities account power of attorney) or as other authorised person may be:
- Personnel master data (name, address and other contact information, date/place of birth and nationality, gender, marital status),
- Identification data (e.g. ID data) and authentication data (e.g. specimen signature), tax ID, FATCA status, and CRS status.
When products/services from the product categories listed below are purchased and used, additional personal data may be collected, processed and stored in addition to the above-mentioned data. These primarily include:
Account and payment transactions (including online banking)
Order data (e.g. payment orders), data stemming from the fulfilment of our contractual obligations (e.g. payment transaction data),
Securities business
Information on knowledge of and/or experience with securities (MiFID status), investment behaviour/strategy (scope, frequency, risk appetite), profession, financial situation (assets, liabilities, income from employment/self-employment, expenses), foreseeable changes in financial circumstances (e.g. retirement age), specific objectives/major concerns in the future (e.g. planned acquisitions, redemption of liabilities),
tax information (e.g. information on church tax liability),
documentation data (e.g. statements of suitability, call recording).
Lending business (consumers and self-employed)
Credit score documentation (income, expenses, salary slips, P&L statements and balance sheets, tax documents, information/proof of assets and liabilities, guarantees issued, bank statements), employer, type and duration of employment relationship, number of dependent children, residence/work permit in the case of non-EU nationals, scoring/rating data, intended purpose
Client contact information
In the development phase and over the course of the business relationship, in particular as a result of personal, telephone or written contact initiated by you or by the Bank, additional personal data is created, e.g. information about the contact channel, date, occasion and result, (electronic) copies of correspondence as well as
Information on participation in direct marketing activities, advertising and sales data, and other data comparable with the categories mentioned.
What is the purpose of processing your data (purpose of processing) and on what legal basis does this take place?
We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law Data Protection Act (BDSG)
a) for the performance of contractual obligations (Article 6 (1)(b) GDPR)
Data are processed for the purpose of providing banking transactions and financial services in accordance with our contracts with our clients or for performing pre-contractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product (see point 2) and may include, inter alia, analyses, advice, asset management and support and the execution of transactions. Further details on the purposes of data processing can be found in the respective contractual documents and our General Terms and Conditions.
b) within the scope of the balancing of interests (Article 6 (1)(f) GDPR)
To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect our legitimate interests or of third parties. These could be, for example:
- ensuring IT security and the IT operation of the Bank,
- prevention and investigation of criminal offences,
- measures for building and system security,
- measures to secure the domiciliary right (e.g. video surveillance),
- measures for business management and further development of services and products,
- consultation and exchange of data with credit agencies (e.g.) so as to determine credit standing or default risks in connection with lending business,
- marketing purposes (e.g. advertising or market and opinion research), or
- lodging legal claims and defence in case of legal disputes.
c) on the basis of your consent (Article 6 (1)(a) GDPR)
Insofar as you have granted us consent to the processing of personal data for certain purposes, the legality of this processing is given on the basis of your consent. A given consent may be revoked at any time. This also applies to the revocation of declarations of consent issued to us before the GDPR came into force, i.e. before 25 May 2018. Revocation of consent will only take effect in the future. Processing that took place prior to the revocation is not affected by this.
d) for compliance with a legal obligation (Article 6 (1)(c) GDPR) or in the public interest (Article 6 (1)(e) GDPR)
As a bank, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) and banking supervisory requirements (e.g. of the European Central Bank, the European Banking Supervisory Agency, the German Federal Bank, and the Federal Agency for the Supervision of Financial Services). The purposes of the processing include credit checks, identity and age verification, fraud and money laundering prevention, the fulfilment of tax law control and reporting obligations as well as the assessment and management of risks at the Bank.
Who receives my data?
Within the Bank, those departments are granted access to your data that require them to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes in the context of so-called order processing, provided that they specifically observe banking secrecy and our written instructions under data protection law. These are companies in the categories of banking services, IT services, logistics, printing services, telecommunications, collection of receivables, advice as well as sales and marketing.
With regard to the transfer of data to recipients outside our Bank, it must first be noted that as a bank we are obliged to maintain confidentiality about all client-related facts and assessments of which we become aware (banking secrecy). As a matter of principle, we may only pass on information about our clients if required to do so by law, if the client has consented, or we are authorised to provide a bank reference.
Under these conditions, recipients of personal data may be, for example:
- public bodies and institutions (e.g. European Central Bank, European Banking Supervisory Authority, German Federal Bank, Federal Agency for the Supervision of Financial Services, tax authorities, criminal prosecution authorities, family courts, and land registry offices) in the case of a statutory or official obligation,
- other loan and financial services institutions or comparable institutions to whom we transfer your personal data in order to perform transactions under our business relationship with you. Specifically: support/maintenance of computer/IT applications, archiving, receipt processing, compliance services, data screening for anti-money laundering purposes, data destruction, purchasing/procurement, facilities management, collection, payment card processing (debit cards/credit cards), client management, lettershops, marketing, media technology, reporting, telephony, video identification, website management, securities services, share register, fund management, auditing services, and payment transactions,
- creditors or liquidators submitting queries in connection with a foreclosure,
- service providers in connection with credit or banks or businessmen submitting queries if payment by card is denied,
- third parties involved in loan granting processes (such as insurance companies, building societies, investment companies, funding establishments, trustees, service providers carrying out value assessments).
Other recipients of data may be those bodies for which you have given us your consent to the transfer of data or with respect for which you have exempted us from banking secrecy by agreement or consent, or to which we may transfer personal data on the basis of the balancing of interests.
Is data transferred to a third country or to an international organisation?
Data transfers to bodies in countries outside the European Union (so-called third countries) will only take place to the extent
- this is required for the execution of your orders (e.g. payment and securities orders),
- it is required by law (e.g. reporting obligations under tax law), or
- you have given us your consent or in the context of order processing.
If service providers in a third country are used, they shall, in addition to instructions in writing, be bound by the agreement of the EU standard contractual clauses on compliance with the data protection level in Europe.
In individual cases, personal data (e.g. legitimation data) will be transferred with the consent of the data subject or as a result of statutory regulations on controlling money laundering, the financing of terrorism and other criminal offences, as well as within the scope of the balancing of interests, in compliance with the data protection level of the European Union.
For how long will my data be stored?
Your personal data will be stored as long as it is necessary for the performance of our contractual and statutory obligations. It should be noted that our business relationship is a long-term debt relationship that is designed to run for years.
If the data are no longer required for the performance of contractual or legal obligations, they are regularly deleted, unless further processing – for a limited period – is necessary for the following purposes:
- Compliance with retention obligations under commercial or tax legislation. These include obligations arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German law on Money Laundering (GwG) and the German Securities Trading Act (WpHG). As a rule, the periods for storage and documentation specified there are two to ten years.
- Preservation of evidence under the statute of limitations. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.
What data protection rights do I have?
a. Right to confirmation
Every data subject shall have the right granted by the European legislator, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may, at any time, contact any employee of the controller.
b. Right to information
Any data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and legislations grant the data subject access to the following information:
the purposes of the processing,
the categories of personal data processed,
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period,
the existence of the right to the rectification or erasure of personal data concerning him or her or to the limitation of the processing carried out by the controller or of the right to object to processing such data,
the existence of the right to lodge a complaint with a supervisory authority,
where the personal data are not collected from the data subject, any available information as to their source,
the existence of automated decision-making, including profiling, according to Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject,
Furthermore, the data subject has right of access to information, whether personal data were transferred to a third country or to an international organisation. If this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
When the data subject wishes to exercise this right of access, he or she may at any time contact an employee of the controller.
c. Right to rectification
Every data subject shall have the right granted by the European legislator, to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Further, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If the data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
d. Right to erasure (right to be forgotten)
Each data subject shall have the right granted by the European legislator to request from the controller the erasure of personal data concerning him or her without undue delay where one of the following conditions applies and to the extent that data processing is not necessary:
The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
The data subject withdraws his consent on which the processing was based pursuant to Article 6(1)(a) GDPR, or of Article 9(2)(a) GDPR, and where there is no other legal ground for the processing.
The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
The personal data have been unlawfully processed.
The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data were collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If one of the above-mentioned reasons applies and a data subject wishes to request the erasure of personal data stored by us, he or she may, at any time, contact any employee of the controller. Our employee shall ensure that the request for erasure is complied with immediately.
If the personal data public have been made public by us, and our company as controller is obliged pursuant to Article 17(1) GDPR to erase the personal data, taking into account the available technology and the implementation costs, we shall take appropriate measures, including technical measures, to inform other controllers processing the published personal data that the data subject has requested from these other data controllers the erasure of all links to this personal data or copies or replications of this personal data, insofar as the processing is not necessary. Our employee will make the necessary arrangements case-by-case.
e. Right to restriction of processing
Each data subject affected by the processing of personal data shall have the right granted by the European legislator to request the controller to restrict the processing where one of the following conditions applies:
The data subject disputes the accuracy of the personal data and for a period of time, which allows the controller to verify the accuracy of the personal data.
The processing is unlawful, the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The controller no longer needs the personal data for the purposes of processing, but the data subject requires them to establish, exercise or defend legal claims.
The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by us, he or she may, at any time, contact any employee of the data controller. Our employee will arrange the restriction of the processing.
f. Right to data transferability
Each data subject affected by the processing of personal data shall have the right granted by the European legislator to receive the personal data concerning him or her, which were provided by the data subject to a controller, in a structured, common and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that the processing is based on consent pursuant to Article 6 (1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6 (1)(b) GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task to be carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data transferability pursuant to Article 20(1) GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
In order to enforce the right to data transferability, the data subject may contact any employee at any time.
g. Right to object
Each data subject affected by the processing of personal data shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.
In the event of an objection, we shall no longer process the personal data, unless we can prove compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purposes of establishment, exercise or defence of legal claims.
Where we process personal data for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of personal data for such advertising. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to our processing for direct marketing purposes, we will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data relating to him/her by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may directly contact any employee. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.
h. Automated individual decision-making, including profiling
Each data subject affected by the processing of personal data shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision
- is not necessary for entering into, or the performance of, a contract between the data subject and the data controller, or
- is authorised by Union or Member State law to which the controller is subject, and this legislation lays down suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, or
- is based on the explicit consent of the data subject.
If the decision
- is necessary for entering into, or the performance of, a contract between the data subject and the controller, or
- is made with the data subject’s explicit consent, we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to exercise the right of automated decision-making, he or she may do so at any time by contacting any employee of the controller.
i. Right to withdraw data protection consent
Each data subject affected by the processing of personal data shall have the right granted by the European legislator to withdraw his or her consent to the processing of personal data at any time.
If the data subject wishes to exercise his or her right to withdraw consent, he or she may do so at any time by contacting any employee of the controller.
You can exercise your right to withdraw consent to the processing of personal data at any time. This also applies to withdrawing declarations of consent given to us before the GDPR came into force, i.e. before 25 May 2018. Please note that the withdrawal will only take effect in the future. Processing of data that took place before the withdrawal is not affected.
j. Right of complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work or place of the alleged breach of data protection, if you consider that the processing of your personal data is unlawful.
Am I obliged to give data?
In the context of our business relationship, you must provide the personal data required for the establishment, execution and termination of a business relationship and the fulfilment of the associated contractual obligations or for the collection of which we are legally obliged. Without these data we will generally not be able to conclude a contract with you, will no longer be able to execute an existing contract and may have to terminate it.
In particular, we are obliged under the money laundering regulations to identify you on the basis of your identification document before establishing the business relationship and to collect and record your name, place of birth, date of birth, nationality, address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not establish or continue the business relationship you have requested.
To what extent is there automated decision-making?
For the establishment and implementation of a business relationship we generally do not use fully automated decision-making pursuant to Article 22 GDPR. Should we use this procedure in individual cases, we will inform you of this and your rights separately, insofar as this is required by law.
Will profiling take place?
We process some of your data automatically with the aim of evaluating certain personal aspects (profiling), for example:
- as a result of statutory and regulatory requirements, we are obliged to combat money laundering, the financing of terrorism and criminal acts jeopardising property. In this respect, data is analysed (for example, inter alia, in payment transactions). These measures also serve to protect you.
- so as to be able to inform you selectively about our products and to provide advice to you, we use analysis tools. These permit communication according to your needs and advertising, including market and opinion research.
- in connection with the assessment of your creditworthiness, we use scoring. This calculates the probability of a client meeting his contractual payment obligations. This calculation may, for example, take into account income, expenses, existing financial obligations, occupation, employer, time of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit agencies. Scoring is based on a proven and recognised mathematical-statistical recognised procedure. The resulting score values assist us in decision-making in connection with product transactions and are incorporated into the ongoing risk management.
Information about your right to object pursuant to Article 21 GDPR
Right to object based on individual cases
You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data under Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) of GDPR (data processing on the basis of the balancing of interests); this also applies for profiling within the meaning of Article 4(4) GDPR.
If you file an objection, we will no longer process your personal data as long as there are no compelling reasons for such processing, which take precedence over your interests, rights and freedom, or if the processing serves to establish, exercise or defend legal claims.
Right to object to processing of data for the purpose of direct marketing
In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling, insofar as it is connected to such direct marketing. If you do object to processing for the purposes of direct marketing, we will no longer process your personal data for these purposes.
The objection can be sent informally to the following address:
Quirin Privatbank AG
Kurfürstendamm 119
10711 Berlin
info@quirinprivatbank.com
Data processing on the web pages
Quirin Privatbank AG also processes personal data on its web pages. The following information provides you with an overview of how we process your personal data and your rights under data protection law.
Further information
If you would like information this data protection declaration cannot give you or you would like further information on a specific point, please contact the Data Protection Officer of Quirin Privatbank AG.