How we handle your data and your rights – Information according to Articles 12, 14 and 21 of the General Data Protection Regulation (GDPR)

1. Who is responsible for the processing activities? And who can I turn to?

Airbus Bank GmbH
Prannerstrasse 8
D-80333 Munich

You can contact our operational data protection officer at:

Airbus Bank GmbH / data protection officer
Prannerstrasse 8
D-80333 Munich
Email: datenschutz@airbusbank.com

2. What sources and data do we use?

We process personal data that we receive directly from you in the scope of our business relationship. We also process — as far as it is required for rendering our service - personal data that we have admissibly received from other companies of Genossenschaftliche FinanzGruppe Volksbanken Raiffeisenbanken or other third parties (e. g. from SCHUFA) (e. g. to perform Orders, meet contracts or based on consent given by you). On the other hand, we process personal data that we have admissibly acquired from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, media, and internet) and are allowed to process.

Relevant personal data are personal Information (name, address and other contact details, date and place of birth and nationality), legitimation data (e. g. ID data) and authentication data (e. g. signature sample). Furthermore, they may also be order data (e. g. payment order, securities order), data from compliance with our contractual obligations (e. g. turnover data in payment transactions, credit scope, product details [e. g. contribution, credit and custodian business]), information concerning your financial Situation (e. g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e. g. Consulting record), register data, data concerning your use of our offered tele media (e. g. time of call of our websites, apps or newsletters, clicked pages or entries from us) as well as other data comparable to the categories named.

3. For what purpose do we process your data (purpose of processing) and what is the legal basis?

We process personal data in coordination with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG):

3.1  For compliance with contractual obligations (point (b) of Article 6(1) GDPR)

Processing of personal data (Article 4(2) GDPR) takes place for rendering and mediation of bank transactions, financial Services, as well as insurance and real estate transactions, in particular for performance of our contracts and carrying-out of your orders, as well as any necessary activities connected to operation and management of a credit and financial service institute.

The purposes of processing activities are mainly according to the specific product (e. g. account, loan, saving with a building society, securities, contributions, mediation, online banking) and can, inter alia, comprise demand analyses, consulting, asset management and support, as well as execution of transactions.

The further details for the purpose of processing activities can be taken from the respective contract documents and terms and conditions.

3.2  Within the scope of consideration of interests in accordance with point (f) of Article 6(1) GDPR)

As far as is necessary, we will process your data beyond the actual performance of the contract to protect legitimate interests of us or of third parties, e. g. in the following cases.

  • Consultation of and data exchange with credit rating agencies (e. g. SCHUFA) to determine creditworthiness or default risks and the needs in attachment protection accounts or basic accounts;
  • Review and optimisation of procedures for demand analysis and direct customer contact;
  • Marketing or market and opinion research as far as you have not objected to use of your data;
  • Establishment of legal claims and defences in legal disputes;
  • Ensuring IT security and IT operation of the bank;
  • Preventing and investigating criminal offences;
  • Video surveillance serves to collect evidence in case of criminal offences or evidence of disposals and payments made, e. g. at ATMs. They therefore serve protection of the customers and employees, as well as the house rights;
  • Measures for building and system security (e. g. access controls);
  • Measures to ensure house rights;
  • Measures for business control and further development of services and products.

3.3  Based on your consent (point (a) of Article 6(1) GDPR)

Where you have given your consent to processing of your personal data for specific purposes (e. g. forwarding of data in the network/group, evaluation of payment transaction data for marketing purposes), such processing is lawful based on your consent. Consent once given may be revoked at any time. This shall also apply to withdrawal of declarations of consent that were given to us before the application of the GDPR, i. e. before 25 May 2018 - e. g. in the SCHUFA clause.

Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.

3.4  Based on statutory provisions (point (c) of Article 6(1) GDPR) or in public interest (point (e) of Article 6(1) GDPR)

Additionally, we as a bank are subject to various legal obligations (e.g. Credit Management Act, Money Laundering Act, Securities Trading Act, tax laws) and banking supervision specifications (e. g. of the European Central Bank, the European Banking Supervision, the German Federal Bank and the Federal Institution for Financial Services Supervision). For purposes of processing, inter alia, the creditworthiness check, identity and age verification, fraud and money laundering prevention, compliance with controlling and notification obligations under tax law and evaluation and control of risks.

4. Who will receive my data?

Within the bank, those offices that require them in order to enable us to meet our contractual and statutory obligations will receive access to the data. Processors used by us (Article 28 GDPR) may receive data for these purposes named as well. These are companies in the categories of credit-management services, IT Services, logistics, printing services, telecommunication, cash collection, advice and consulting, as well as sales and marketing.

Concerning data forwarding to recipients outside of the bank, it must be observed first that we are obligated according to the general terms and conditions agreed between you and us to maintain secrecy concerning any customer-related facts and assessments that we gain knowledge of (banking secrecy). Information concerning you must only be passed on if legal provisions require this, you have consented to it or we have the right to provide bank information. Subject to these prerequisites, recipients of the personal data may be, e. g.:

  • Public offices and institutions (e.g. German Federal Bank, Federal Institution for financial Services supervision, European banking supervisory authority, European Central Bank, tax authorities) if there is any statutory or authority obligation.
  • Other credit and financial service institutes or comparable facilities to which we submit personal data to perform the business relationship with you (depending on contract: e.g. Companies of Genossenschaftliche FinanzGruppe Volksbanken Raiffeisenbanken, correspondence banks, custodian banks, stock exchanges, credit rating agencies).

Further data recipients may be those offices for the transfer to which you have given us your consent or released us from banking secrecy in accordance with an agreement or consent.

5. How long are my data stored for?

As far as required, we will process and store your personal data for the duration of our business relationship, e. g. including the preparation and processing of a contract. Please note that our business relationship is a continuing obligation that is set up to last for years.

Furthermore, we are subject to various storage and documentation obligations, inter alia resulting from the German Commercial Code (Handelsgesetzbuch; HGB), the Tax Code (Abgabenordnung; AO), the Banking Act (Kreditwesengesetz; KWG), the Anti-Money-Laundering Act (Geldwäschegesetz; GwG) and the Securities Trading Act (Wertpapierhandelsgesetz; WpHG). The time limits stipulated there for archiving or documentation are two to ten years.

Finally, the storage duration may also be according to the statutory expiration periods, e.g. usually three years according to Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch; BGB), and in certain cases also up to thirty years.

6. Are any data transmitted to a third country or international Organisation?

Data transmission to third countries (countries outside of the European Economic Area - EEA) shall only take place as far as this is necessary to perform your orders (e. g. payment and securities obligations), required by law or if you have given your consent to this. We will inform you separately concerning any details if required by law.

7. What data protection rights do I have?

Every data subject has the right to Information according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right of erasure according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to objection from Article 18 GDPR and the right to data portability from Article 20 GDPR. The right of access and the erasure right are subject to the restrictions pursuant to Sections 34 and 35 BDSG. Furthermore, you have a right to complain to a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 GDPR).

8. Is there any obligation to provide data?

Within the scope of our business relationships you only need to provide such personal data that are needed to found, execute or terminate the business relationship or the collection of which is required by law. Without these data, we will usually have to refuse conclusion of a contract or execution of the order or will be unable to perform an existing contract or have to terminate it.

In particular, we are obligated under the anti-money-laundering obligations to identify you before founding the business relationship, e.g. using your personal ID, and to collect your name, place of birth, date of birth, nationality and residential address for this. In order to enable us to meet this statutory obligation, you must provide us with the necessary information and documents under the Anti-Money-Laundering Act and report any changes that occur in the course of the business relationship without undue delay. If you do not provide us with the Information and documents required for this, we must not commence the business relationship desired by you.

9. In how far is there any automated decision-making on a case-by-case basis?

In principle, we do not use any fully automated decision-making in accordance with Article 22 GDPR for establishing and carrying out the business relationship. If we use this procedure in individual cases, we will inform you about this separately if this is required by law.

10.  In how far are my data used for profile formation (scoring)?

We partially process your data automatically with the target of assessing certain personal aspects (profiling). We use profiling, e. g. in the following cases:

  • Based on legal and regulatory specifications, we are obligated to fight money laundering, terrorism financing and asset-endangering crimes. This also includes data evaluations (e.g. in payment transactions). These measures serve your protection at the same time.
  • We use evaluation instruments in order to inform and advise you about products in a targeted manner. This permits demand-oriented communication or advertising, including market and opinion research.
  • We use scoring within the scope of assessment of your creditworthiness. For this, we calculate the probabilities at which a customer will contractually meet his payment obligations. The calculation can include, e.g., income situation, spendings, existing liabilities, profession, employer, duration of employment, experience from the former business relationships, contractual repayment of earlier credits and information from credit agencies. The scoring is based on the mathematically-statistically recognised and tried and tested methods. The calculated score values support us in decision-making within the context of product conclusions and are included in the current risk management.



Information concerning your right to object according to Article 21 General Data Protection Regulation (GDPR)

1. You have the right to object to processing of personal data concerning you that are processed based on point (e) of Article 6(l) GDPR (processing activities in the public interest) and point (f) of Article 6(l) GDPR (processing activities based on consideration of interests) based on grounds resulting from your particular Situation at any time; this shall also apply to profiling based on this provision within the meaning of Article 4(4) GDPR, which we use for creditworthiness checks or for purposes of marketing.

If you object, we shall no longer process your personal data, except if we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or if processing serves to establish, exercise or defend legal claims.

2. In individual cases, we will process your personal data for direct marketing. You have the right to object to processing of personal data concerning you for such marketing, which includes profiling to the extent that is related to such direct marketing, at any time.

If you object to processing for direct marketing purposes, we shall no longer process your personal data for such purposes.

The objection can be filed informally and should be directed to:

Airbus Bank GmbH
Pranner Strasse 8
D-80333 Munich