Privacy notices – information on how we handle your data and your rights in accordance with the General Data Protection Regulation, articles 13, 14 and 21
Other than on the website, we also process personal data as part of our business relationship. Information on this data processing and your data protection claims and rights, some of which also affect data processing on our website, can be found in our privacy notices.
You will find information on the following issues:
- Who is responsible for data processing and who can I contact?
- Which sources and data do we use?
- Why do we process your data (purpose of processing) and on what legal basis?
- Fulfilling contractual obligations (GDPR, article 6(1)(b))
- With regard to weighing up interests (GDPR, article 6(1)(f))
- On the basis of your consent (GDPR, article 6(1)(a))
- Due to statutory requirements (GDPR, article 6(1)(c))
- Who receives my data?
- How long will my data be stored?
- Is data transferred to a third country or an international organisation?
- What are my data protection rights?
- Am I obliged to provide data?
- To what extent is there automatic decision-making in individual cases?
- To what extent is my data used for profiling (scoring)?
Information on how we handle your data and your rights in accordance with the General Data Protection Regulation, articles 13, 14 and 21
This will inform you about how we process your personal data and the claims and rights to which you are entitled under the data protection regulations. Which data is processed in detail and how it is used depends largely on the services you have requested or we have agreed with you.
1. Who is responsible for data processing and who can I contact?
Responsible body is:
Europäisch-Iranische Handelsbank AG Depenau 2
Phone: +49 (0)40 321 090
Fax: +49 (0)40 321 098 90
You can get in touch with our Data Protection Officer at:
Phone: +49 (0)30 440 585 03
Fax: +49 (0)30 440 585 10
2. Which sources and data do we use?
We process the personal data we receive from you in the course of our business relationship. To the extent necessary for the provision of our services, we also process personal data which we have legitimately obtained from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, media) and which is legitimately transmitted to us by our branches or other third parties (e.g. a credit agency).
Relevant personal data are personal details (name, address and other contact data, birthday and place of birth as well as nationality), identification information (e.g. ID data), and authentication information (e.g. specimen signature). This may also include order data (e.g. payment order), data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. creditworthiness, scoring or rating data, origin of assets), credit-relevant data (e.g. income and expenses), possible advertising and sales data, documentation data (e.g. call log) and other data comparable with the categories mentioned.
3. Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
3.1 Fulfilling contractual obligations (GDPR, article 6(1)(b))
The processing of personal data (GDPR, article 4(2)) takes place for the provision and mediation of banking transactions and financial services, in particular for the execution of our contracts or pre-contractual measures with you and the execution of your orders as well as all activities necessary for the operation and administration of a credit and financial services institution.
The purposes of data processing are primarily based on the specific product (e.g. account, credit, securities, deposits, brokerage) and may include needs analyses, advice, asset management and support as well as the execution of transactions.
Further details for the purpose of data processing can be found in the respective contractual documents and terms and conditions.
3.2 With regard to weighing up interests (GDPR, article 6(1)(f))
If necessary, we shall process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. For example:
- Consultation of and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness or default risks and the need for an attachment protection account or basic account
- Review and optimisation of procedures for needs analysis and direct customer approach
- Advertising or market and opinion research, as long as you have not objected to the use of your data
- Enforcement of legal claims and defence in legal disputes
- Ensuring IT security and our IT operations
- Prevention and investigation of criminal offences
- For the protection of domiciliary rights, the collection of evidence in the event of robberies and fraud or proof of orders and deposits
- Measures for building and system security (e.g. access control); measures for business management and ongoing development of services and products.
3.3 On the basis of your consent (GDPR, article 6(1)(a))
If you have given us your consent to process your personal data for certain purposes (e.g. evaluation of payment transaction data for marketing purposes, newsletter dispatch), the legality of this processing is deemed to be a given on the basis of this consent. Given consent can be revoked at any time. This shall also apply to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. The revocation of a consent shall only be effective for the future and shall not affect the legality of the data processed up until the revocation.
3.4 Due to statutory requirements (GDPR, article 6(1)(c)) or in the public interest (GDPR, article 6(1)(e))
Furthermore, as a bank we are subject to diverse legal obligations, i.e. statutory requirements (e.g. German Banking Act (KWG), Anti-Money Laundering Act (GwG), Securities Trading Act (WpHG), and taxation laws) and regulations stipulated by the banking regulatory authorities (e.g. European Central Bank, European Banking Supervision, the Deutsche Bundesbank and the Federal Financial Supervisory Authority (Finanzdienstleistungsaufsicht). The purposes of processing include identity and age verification, fraud and money laundering prevention, the fulfilment of tax control and reporting obligations as well as the evaluation and management of risks.
4. Who receives my data?
Within the bank, departments that receive your data are those which need it to fulfil our contractual and legal obligations. Processors used by us (GDPR, article 28) may also receive data for these purposes. These are companies in the categories of IT services, logistics and telecommunications.
With regard to the transfer of data to recipients outside our bank, it must first be noted that we are obliged to maintain confidentiality about all customer-related facts and assessments of which we become aware (banking secrecy in accordance with no. 2 of our General Terms and Conditions). We may only disclose information about you if required to do so by law, if you have given your consent or if we are authorised to disclose banking information. In compliance with these prerequisites, recipients of personal data may include:
- Public bodies and institutions (e.g. European Central Bank, European Banking Supervision, Deutsche Bundesbank, Federal Financial Supervisory Authority, tax authorities, law enforcement authorities, family courts, land registries) in the event of a legal or official obligation
- Other credit and financial services institutions or similar institutions to which we transmit personal data in order to conduct the business relationship with you (e.g. correspondent banks, custodian banks, stock exchanges, credit agencies depending on the contract)
- Creditors or insolvency practitioners who request it in relation to execution
- Service providers that we use within the framework of order processing contracts
Other recipients of data may be those entities for which you have given us your consent to the transfer of data, or for which you have exempted us from banking secrecy in accordance with an agreement or consent, or to which we are authorised to transfer personal data on the basis of a balance of interests.
5. How long will my data be stored?
We will process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation that is intended to run for years.
If the data is not required for the fulfilment of contractual or legal obligations, this shall be regularly deleted, unless further (limited) processing is necessary for the following purposes:
- Fulfilment of retention obligations under commercial and tax laws, which may arise, for example, from the following German legislation: German Commercial Code (HGB), Fiscal Code (AO), Banking Act (KWG), Anti-Money Laundering Act (GwG) and Securities Trading Act (WpHG). The terms set out in the above for the retention and documentation generally range from between two and ten years.
- Preservation of evidence within the framework of the statute of limitations. In accordance with the German Civil Code (BGB), sections 195 et seq., these periods of limitations may be up to 30 years; however, the usual period of limitation is 3 years.
6. Is data transferred to a third country or an international organisation?
Data is transferred to bodies in countries outside the European Union (third countries), insofar as
- this is necessary to execute your orders (e.g. payment orders);
- it is stipulated by law (e.g. reporting required under tax law) or
- you have given us your consent.
Furthermore, data transfer to bodies in third countries is provided for in the following cases:
- If necessary in individual cases, your personal data may be transferred to an IT service provider in the USA or another third country to ensure the both Bank’s IT operations and compliance with the scope of European data protection.
- With the consent of the person concerned or on the basis of legal regulations to combat money laundering, terrorist financing and other criminal acts as well as in the context of a balancing of interests, personal data (e.g. legitimation data) will be transmitted in individual cases in compliance with the scope of data protection of the European Union.
7. What are my data protection rights?
Any party concerned has the right of access to information under GDPR, article 15, the right to correction under article 16, the right to deletion under article 17, the right to limitation of processing under article 18, and the right to data transferability under article 20. In the case of right to information and right to deletion, the restrictions pursuant to the Federal Data Protection Act (BDSG), sections 34 and 35, shall apply. Furthermore, the right to object to a data protection supervisory authority shall apply (GDPR, article 77 in conjunction with BDSG, section 19).
You may revoke your consent to the processing of personal data with us at any time. This shall also apply to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. Please note that the revocation shall only be effective for the future. Processing performed prior to the revocation shall not be affected.
8. Am I obliged to provide data?
Within the framework of our business relationship, you are required to provide the personal data necessary for the establishment, execution and termination of a business relationship and for the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this information, we shall not be able to enter into, execute or terminate a contract with you.
In particular, we are obliged under the provisions of anti-money laundering law to identify you before establishing the business relationship, for example, on the basis of your identification document and to collect your name, place of birth, date of birth, nationality and address. In order for us to comply with this legal obligation, you are to provide us with the necessary information and documents in accordance with the German Anti-Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you fail to provide us with the necessary information and documents, we may not establish or continue the business relationship you have requested.
9. To what extent is there automatic decision-making in individual cases?
In principle, we do not use fully automatic decision-making according to GDPR, article 22, for the establishment and implementation of the business relationship. If we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is prescribed by law.
10. To what extent is my data used for profiling (scoring)?
We process some of your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:
- Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and offences that compromise assets. In the process, data is also evaluated (for example, in payment transactions). These measures also serve to protect you.
Information regarding your right to object in compliance with the General Data Protection Regulation, article 21 (GDPR)
1.Right of objection in individual cases
You have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is carried out on the basis of GDPR, article 6(1)(f) (data processing on the basis of a balance of interests). This shall also apply to profiling based on this provision as defined in GDPR, article 4(4), which we use for credit rating or advertising purposes.
If you object, we shall cease processing your personal data, unless we can provide compelling reasons for its processing worthy of protection, which outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims.
2.Right of objection to the processing of data for direct advertising purposes
In individual cases, we shall process your personal data for direct advertising purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is connected with direct advertising.
If you object to processing for direct advertising purposes, we shall cease to process your personal data for these purposes.T
he objection can be made without formal requirements and is to be addressed to:
Europäisch-Iranische Handelsbank AG Depenau 2
Phone: +49 (0)40 321 090
Fax: +49 (0)40 321 098 90