Data Protection Notes

How we handle your data and your rights – Information according to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

1. Who is responsible for the processing activities? And who can I turn to?

Airbus Bank GmbH
Pranner Strasse 8
D-80333 Munich

You can contact our operational data protection officer at:

2B Advice GmbH
Marcus Belke
Joseph-Schumpeter-Allee 25
D-53227 Bonn
Phone: +49 228 926165-120
Fax: +49 228 926165-109

2. What sources and data do we use?

We process personal data that we receive directly from you in the scope of our business relationship. We also process — as far as it is required for rendering our service - personal data that we have admissibly received from other companies or other third parties (e. g. from SCHUFA) (e. g. to perform Orders, meet contracts or based on consent given by you). On the other hand, we process personal data that we have admissibly acquired from publicly accessible sources (e. g. debtor registers, land registers, commercial and association registers, press, media, and internet) and are allowed to process.

Relevant personal data are personal Information (name, address and other contact details, date and place of birth and nationality), legitimation data (e. g. ID data) and authentication data (e. g. signature sample). Furthermore, they may also be order data (e. g. payment order), data from compliance with our contractual obligations (e. g. turnover data in payment transactions, credit scope, product details [e.g. contribution, credit and custodian business]), information concerning your financial Situation (e. g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data, documentation data (e. g. records), register data, data concerning your use of our offered tele media (e. g. time of call of our websites, clicked pages or entries from us) as well as other data comparable to the categories named.

3.1 For compliance with contractual obligations (point (b) of Article 6(1) GDPR)

Processing of personal data (Article 4(2) GDPR) takes place for rendering and mediation of bank transactions, financial Services, as well as insurance and real estate transactions, in particular for performance of our contracts and carrying-out of your orders, as well as any necessary activities connected to operation and management of a credit and financial service institute.

The purposes of processing activities are mainly according to the specific product (e.g. account, loan, contributions, mediation) and can, inter alia, comprise demand analyses, consulting as well as execution of transactions.

The further details for the purpose of processing activities can be taken from the respective contract documents and terms and conditions.

3.2 Within the scope of consideration of interests in accordance with point (f) of Article 6(1) GDPR)

As far as is necessary, we will process your data beyond the actual performance of the contract to protect legitimate interests of us or of third parties, e. g. in the following cases.

  • Consultation of and data exchange with credit rating agencies (e.g. SCHUFA) to determine creditworthiness or default risks and the needs in attachment protection accounts or basic accounts;
  • Review and optimisation of procedures for demand analysis and direct customer contact;
  • Marketing or market and opinion research as far as you have not objected to use of your data;
  • Establishment of legal claims and defences in legal disputes;
  • Ensuring IT security and IT operation of the bank;
  • Preventing and investigating criminal offences;
  • Measures for building and system security (e. g. access controls);
  • Measures to ensure house rights;
  • Measures for business control and further development of services and products.

3.3 Based on your consent (point (a) of Article 6(1) GDPR)

Where you have given your consent to processing of your personal data for specific purposes, such processing is lawful based on your consent. Consent once given may be revoked at any time.

Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.

3.4 Based on statutory provisions (point (c) of Article 6(1) GDPR) or in public interest (point (e) of Article 6(1) GDPR)

Additionally, we as a bank are subject to various legal obligations (e.g. Credit Management Act, Money Laundering Act, tax laws) and banking supervision specifications (e. g. of the European Central Bank, the European Banking Supervision, the German Federal Bank and the Federal Institution for Financial Services Supervision). For purposes of processing, inter alia, the creditworthiness check, identity and age verification, fraud and money laundering prevention, compliance with controlling and notification obligations under tax law and evaluation and control of risks.

4. Who will receive my data?

Within the bank, those offices that require them in order to enable us to meet our contractual and statutory obligations will receive access to the data. Processors used by us (Article 28 GDPR) may receive data for these purposes named as well. These are companies in the categories of credit-management services, IT Services, logistics, printing services, telecommunication, cash collection, advice and consulting, as well as sales and marketing.

Concerning data forwarding to recipients outside of the bank, it must be observed first that we are obligated according to the general terms and conditions agreed between you and us to maintain secrecy concerning any customer-related facts and assessments that we gain knowledge of (banking secrecy). Information concerning you must only be passed on if legal provisions require this, you have consented to it or we have the right to provide bank information. Subject to these prerequisites, recipients of the personal data may be, e.g.:

  • Public offices and institutions (e. g. German Federal Bank, Federal Institution for financial Services supervision, European banking supervisory authority, European Central Bank, tax authorities) if there is any statutory or authority obligation.
  • Other credit and financial service institutes or comparable facilities to which we submit personal data to perform the business relationship with you.


Further data recipients may be those offices for the transfer to which you have given us your consent or released us from banking secrecy in accordance with an agreement or consent.

5. How long are my data stored for?

As far as required, we will process and store your personal data for the duration of our business relationship, e. g. including the preparation and processing of a contract. Please note that our business relationship is a continuing obligation that is set up to last for years.

Furthermore, we are subject to various storage and documentation obligations, inter alia resulting from the German Commercial Code (Handelsgesetzbuch; HGB), the Tax Code (Abgabenordnung; AO), the Banking Act (Kreditwesengesetz; KWG) and the Anti-Money-Laundering Act (Geldwäschegesetz; GwG). The time limits stipulated there for archiving or documentation are up to ten years.

Finally, the storage duration may also be according to the statutory expiration periods, e.g. usually three years according to Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch; BGB), and in certain cases also up to thirty years.

6. Are any data transmitted to a third country or international Organisation?

Data transmission to third countries (countries outside of the European Economic Area - EEA) shall only take place as far as this is necessary to perform your orders (e. g. payment and securities obligations), required by law or if you have given your consent to this. We will inform you separately concerning any details if required by law.

7. What data protection rights do I have?

Every data subject has the right to Information according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right of erasure according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to objection from Article 18 GDPR and the right to data portability from Article 20 GDPR. The right of access and the erasure right are subject to the restrictions pursuant to Sections 34 and 35 BDSG. Furthermore, you have a right to complain to a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 GDPR).

8. Is there any obligation to provide data?

Within the scope of our business relationships you only need to provide such personal data that are needed to found, execute or terminate the business relationship or the collection of which is required by law. Without these data, we will usually have to refuse conclusion of a contract or execution of the order or will be unable to perform an existing contract or have to terminate it.

In particular, we are obligated under the anti-money-laundering obligations to identify you before founding the business relationship, e. g. using your personal ID, and to collect your name, place of birth, date of birth, nationality and residential address for this. In order to enable us to meet this statutory obligation, you must provide us with the necessary information and documents under the Anti-Money-Laundering Act and report any changes that occur in the course of the business relationship without undue delay. If you do not provide us with the Information and documents required for this, we must not commence the business relationship desired by you.

9. In how far is there any automated decision-making on a case-by-case basis?

In principle, we do not use any fully automated decision-making in accordance with Article 22 GDPR for establishing and carrying out the business relationship. If we use this procedure in individual cases, we will inform you about this separately if this is required by law.

10. In how far are my data used for profile formation (scoring)?

We partially process your data automatically with the target of assessing certain personal aspects (profiling). We use profiling, e. g. in the following cases:

  • Based on legal and regulatory specifications, we are obligated to fight money laundering, terrorism financing and asset-endangering crimes. This also includes data evaluations. These measures serve your protection at the same time.
  • We use scoring within the scope of assessment of your creditworthiness. For this, we calculate the probabilities at which a customer will contractually meet his payment obligations. The calculation can include, e. g., income situation, spendings, existing liabilities, profession, employer, duration of employment, experience from the former business relationships, contractual repayment of earlier credits and information from credit agencies. The scoring is based on the mathematically-statistically recognised and tried and tested methods. The calculated score values support us in decision-making within the context of product conclusions and are included in the current risk management.

11. Information concerning your right to object according to Article 21 General Data Protection Regulation (GDPR)

You have the right to object to processing of personal data concerning you that are processed based on point (e) of Article 6(l) GDPR (processing activities in the public interest) and point (f) of Article 6(l) GDPR (processing activities based on consideration of interests) based on grounds resulting from your particular Situation at any time; this shall also apply to profiling based on this provision within the meaning of Article 4(4) GDPR, which we use for creditworthiness checks or for purposes of marketing.

If you object, we shall no longer process your personal data, except if we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or if processing serves to establish, exercise or defend legal claims.

The objection can be filed informally and should be directed to:
Airbus Bank GmbH
Pranner Strasse 8
D-80333 Munich