#Investors

Data Protection Regulation (GDPR) - Guidelines for customers

Data Protection Guidelines for customers and other data subjects[1] valid from 25 May, 2018

The following information serves as an overview regarding the processing of your personal data by Helaba and your rights according to Data Protection Regulations. What types of data are processed and in what way they are used, depend significantly on the agreed and ordered services. For that reason, not all parts of this information will be applicable for you.

Who is responsible for data processing and who can provide me with information?

The responsible party is:

Landesbank Hessen-Thüringen Girozentrale (public-law institution)
The Board of Managing Directors
Main Tower
Neue Mainzer Strasse 52- 58
60311 Frankfurt am Main
Germany
T +49 69/91 32 01
F +49 69/29 15 17

Our Data Protection Officer can be reached at:

Landesbank Hessen-Thüringen Girozentrale
Datenschutzbeauftragte
Neue Mainzer Straße 52- 58
60311 Frankfurt am Main
T +49 69/91 32 01

E-Mail: datenschutz@helaba.de

What sources and data do we use?

We process personal data that we receive from our clients or other data subjects within the scope of our business relations. Furthermore, if necessary for rendering our services, we process personal data lawfully obtained from publicly available sources (e. g. public list of debtors, cadastral register, commercial register, public media, Internet) or that have been lawfully provided to us by other companies of Sparkassen-Finanzgruppe (SFG) as our network partner or other third parties (e. g. credit agency).

Relevant personal data are particulars (name, address and other contact data, date and place of birth and nationality), identification data (e. g. passport/ID-data) authentification data (e. g. signature sample), the rights to dispose of accounts and authorities to sign. Moreover, they can be order data (e. g. payment order, security order), data resulting from fulfilling our contractual obligations (e. g. revenue data from payment transactions), credit limit, product data (e. g. deposit and credit transactions), information about your financial situation (credit score, origin of assets, influence on and control of legal persons if applicable), advertising and sales data (including advertising scores), documentation data (e. g. minutes of consultings), register data, log data generated during use of IT systems (e. g. time of web site, app or newsletter visits, accessed Helaba web sites) as well as other data similar to the mentioned categories.

Who receives my data?

Within Helaba, personal data is received by those bodies that require the data in order to comply with our contractual and legal obligations. For this reason, we may also use various service providers (Art. 28 GDPR), if they maintain banking confidentiality in particular. These are companies in the categories credit and financial services, IT services, logistics, print services, telecommunication services, debt collection, advice and consultancy and distribution and marketing.

Regarding the transfer of personal data to recipients outside Helaba, it is of particular importance that Helaba, as a bank, is obliged to maintain confidentiality concerning all customer-related facts and assessments of which we become aware. Helaba may only disclose information concerning the customer if it is legally required to do so or if the customer has consented or if the Bank is authorized to disclose banking affairs. With these preconditions the recipients of personal data may include:

  • public authorities and institutions (e. g. European Central Bank, European Banking Regulator, Financial Conduct Authority, Prudential Regulatory Authority, tax authorities) where a legal or official obligation exists
  • other banks and financial services institutions or similar organizations that receive personal data from us in connection with our business relation with you (depending on contract e. g. correspondence banks, custodian banks, stock exchanges, credit agencies),
  • other companies within Helaba for risk control purposes due to legal or administrational obligations
  • third parties involved in the credit approval process (e. g. building societies, consortium banks, investors (e. g. capital management companies, pension funds, insurance companies), investment companies, funding institutions, fiduciaries, companies providing value assessments),
  • external processors.

Other data recipients may be the companies to which we transfer data with your consent or for which you have released us from banking confidentiality by arrangement or consent or that may, after a weighing of interests, receive personal data from us.

Are data transmitted to a third country or to an international organization?

A transfer of data to offices in countries outside the European Union (so-called third countries) takes place, as far as

  • it is required to complete your orders (e. g. payment and securities orders),
  • it is required by law (e. g. tax reporting obligations) or
  • you have given us your consent.

Furthermore, a transfer to third countries is foreseen in the following cases:
If required in individual cases, your personal information may be transferred to an IT service provider in the United States or other third country to ensure the IT operations of the Bank, in compliance with European data protection standards.
In individual cases, personal data (such as legitimacy data) will be transmitted in compliance with the data protection level of the European Union, with the consent of the person concerned or by means of legal provisions to combat money laundering, terrorist financing and other criminal acts and in the context of a balance of interests.

How long will my data be stored?

We process and store your personal data as long as this is necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a permanent debt, which is designed for years.
If the data are no longer required for the fulfillment of contractual or legal obligations, these are regularly deleted, unless their temporary processing is necessary for the following purposes:
Fulfillment of commercial and tax retention obligations, e. g. can result from: Commercial Code, Tax Code, Banking Act, Money Laundering Act and Securities Trading Act. The deadlines for storage and documentation specified there are usually two to ten years.
Preservation of evidence in the context of the statutory statute of limitations. According to §§195 et seq. Of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular period of limitation is 3 years.

Which data protection rights do I have?

Each data subject has the right to information under Article 15 of the GDPR, the right of correction under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. In addition, there is a right of appeal to a competent data protection supervisory authority.

Consent may be withdrawn at any time. The same applies to any declarations of consent you may have signed before 25 May 2018 (when the GDPR enters into force).

In addition, consent can only be withdrawn for future processing operations and withdrawal of consent does not affect processing operations already carried out.

Is there a duty for me to provide data?

As part of our business relationship, you must provide the personal information necessary to initiate, conduct and terminate a business relationship and to perform the related contractual obligations, or we are required to collect it by law. Without this data, we will generally be unable to conclude, execute and terminate a contract with you.
In particular, we are obliged under the money laundering regulations and the tax code to identify the contracting party and the beneficial owner on the basis of the identification document prior to establishing the business relationship or opening an account, thereby collecting name, place of birth, date of birth, nationality, address and identification data and hold on. In order for us to be able to fulfill this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and immediately notify us of any changes resulting from the business relationship. If you do not provide us with the necessary information and documents, we may not take up or continue the business relationship you have requested.

To what extent is there an automated decision-making process?

In principle, we do not use fully automated decision-making in accordance with Article 22 of the GDPR to justify and implement the business relationship. If we use these procedures in individual cases, we will inform you about this and about your respective rights separately, if this is prescribed by law.

To what extent is my data used for profiling (scoring)?

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism and property-related offenses. At the same time, data evaluations (among others in payment transactions) are carried out. These measures also serve your protection.
In the context of assessing your creditworthiness, we use the scoring for private customers. This calculates the probability with which a customer will meet its payment obligations in accordance with the contract. For example, the calculation may include income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognized and proven procedure. The calculated score values ​​help us to make decisions in the context of product deals and are part of ongoing risk Management.

Information about your right to object under Article 21 GDPR

Case-specific right of objection

You have the right at any time, for reasons arising out of your particular situation, to prevent the processing of personal data concerning you pursuant to Article 6 (1) (e) of the GDPR (Data Processing in the Public Interest) and Article 6 (1) (f) GDPR (Data processing on the basis of a balance of interests) takes place, objecting; this also applies to a profiling based on this provision within the meaning of Article 4 No. 4 GDPR.
If you object, we will no longer process your personal information unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, pursuing or defending legal claims.

Right to object to the processing of data for direct marketing purposes

In individual cases, we process your personal data in order to operate direct mail. You have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct mail. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.

Recipient of the objection

The objection can be form-free with the subject "objection" stating your name, address and date of birth and should be addressed to:

Landesbank Hessen-Thüringen Girozentrale
Datenschutzbeauftragte
Neue Mainzer Straße 52-58
60311 Frankfurt am Main
Germany
T: +49 69/91 32 01
E-Mail: datenschutz@helaba.de

[1] e. g. authorized representatives, potential customers, third-party guarantors

To be able to continuously improve our website, we use cookies. If you continue your visit, you agree to the use of cookies. For more information, see  Data protection