Data Protection Information for online banking

The Deutsche Bank AG (Bank) as controller within the meaning of the General Data Protection Regulation (“GDPR”) collects and processes personal data and other information of you when using online banking. The following information provides an overview of how we process your personal data with regard to our online banking.

1. Who is responsible for data processing and whom can I contact in this regard?

The appropriate Controller responsible for you in the context of online banking is based on the respective “Conditions for Access to Deutsche Bank AG through Electronic Media” agreed between you and us.

Controller for clients of Deutsche Bank AG:

Deutsche Bank AG

Taunusanlage 12

60325 Frankfurt am Main

Telefon: (069) 910-10000

Fax: (069) 910-10001

E-Mail: deutsche.bank@db.com

Our internal data protection officer may be contacted at

Deutsche Bank AG

Data Protection Officer

Taunusanlage 12

60325 Frankfurt am Main

Telefon: (069) 910-10000

E-Mail: datenschutz.db@db.com

2. What sources and data do we use and for which purpose?

Login

We process personal data when you logon to the online banking. The following credentials will be processed: Account number and personal identification number (PIN).

Transaction

To perform a transaction via online banking, we use the 2-Factor Authentication (PIN-TAN procedure) to process the personally assigned transaction number (TAN) and the IP address of the terminal from which the transaction was initiated

Photo Transfer (SmartÜberweisung)

To use the Photo Transfer tool, payment information data relevant to a text recognition software (payment recipient, payment reference, amount, etc.) are extracted from an image file and inserted into the transfer screen.

Branches and ATMs Finder

To use Branches & ATMs Finder, the YellowMap service is used within online banking to display maps and create directions. If you use the service, your current position (location data) will be transmitted to YellowMap. YellowMap is operated by YellowMap AG, CAS-Weg 1-5, 76131 Karlsruhe, Germany. At www.yellowmap.com you will find information on the privacy policy of YellowMap AG.

Use of individual digital services in online banking

When using special digital services in online banking (for example Deutsche Bank FinanzPlaner) different categories of personal data or data processing data may occur. The supplementary data protection information is listed in the appropriate terms of use of the respective service in the section "Data Protection". For further information on the individual terms of use of the digital services, please follow the link below:

https://www.deutsche-bank.de/pfb/content/pk-rechtliche-hinweise.html?pfb_toggle=34735-34742

Cookies

In addition, we use cookies as part of online banking for various purposes. How we use these cookies in our online banking and how you can deactivate them, please see the following link:

https://www.deutsche-bank.de/pfb/content/pk-datenschutz.html

3. On what legal basis do we process your data?

We process the aforementioned personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)


a. for the performance of contractual obligations (article 6 (1) b) GDPR)

The legal basis for the processing of your personal data are the “Conditions for Access to Deutsche Bank AG through Electronic Media” agreed between you and us for using the online banking.
The purposes of the data processing are primarily dependent on the specific service. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.


b. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)


Where necessary, we process your data above and beyond the actual performance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:

  • Asserting legal claims and mounting a defense in the event of litigation
  • Ensuring the bank’s IT security and IT operations
  • Preventing crimes
  • Measures to manage business and further develop services and products
  • Group risk management


c. on the basis of your consent (article 6 (1) a) GDPR)


Insofar as you have granted us consent to the processing of personal data for specific purposes (e.g. for information service on current offers and important financial topics), the lawfulness of such processing is based on your consent. For your rights with regard to granted consent, please refer to chapter 7 of this Data protection information. You can request a status overview of the consents you have granted from us at any time or view some of them via online banking.


d. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)     

As a bank, we are also subject to various legal obligations, i. e., statutory requirements (e. g., the German Banking Act (Kreditwesengesetz – KWG), the German Money Laundering Act (Geldwäschegesetz – GWG), the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG), tax laws) as well as banking supervisory requirements (e. g., the European Central Bank, the European Banking Supervisory Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin). Other purposes of processing include credit checks, identity and age verification, anti-fraud and anti-money laundering measures, the satisfaction of tax law control and reporting obligations as well as the assessment and management of risks in the bank and the Group.

4. Who receives my data?

Within Deutsche Bank AG, those offices are given access to your online banking data, which require them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe professional secrecy and our written instructions under data protection law. These are mainly companies from the categories listed below.

With regard to the transfer of data to recipients outside the Deutsche Bank AG, it must first of all be noted that as a bank we are under a duty to maintain secrecy about any customer related facts and evaluations of which we may have knowledge. We may only disclose information about you if we are legally required to do so, if you have given your consent, if we are authorized to provide information and / or if processors commissioned by us guarantee compliance with secrecy and the provisions of the GDPR / BDSG.

Under these conditions, recipients of personal data may be, for example:

  • Public authorities and institutions (e. g., Deutsche Bundesbank, BaFin, the European Banking Authority, the European Central Bank, tax offices, the German Federal Central Tax Office (Bundeszentralamt für Steuern)) insofar as a statutory or official obligation exists.
  • Institutions and processors to whom we transfer personal data in order to perform the business relationship with you. Specifically: support / maintenance of EDP/ IT applications, especially for Optical Character Recognition - Technology (Photo Transfer/SmartÜberweisung), Document-Safe-Solution, Location service (GPS), Banking service for aggregation of financial data, Mobile Payment Services.

Other recipients of data may be those offices to which you have given your consent to the transfer of data or with respect to which you have exempted us from banking secrecy by agreement or consent.

5. Is data transferred to a third country or to an international organisation?

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your orders (e. g. payment and securities orders), prescribed by law (e. g. reporting obligations under tax law), if you have given us your consent or in the context of commissioned data processing. If service providers in a third country are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

6. How long will my data be stored?

We process and store your personal data as long as it is necessary for the performance of our contractual (“Conditions for Access to Deutsche Bank AG through Electronic Media”) and statutory obligations.

If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:

  • Compliance with records retention periods under commercial and tax law, such as the German Commercial Code (Handelsgesetzbuch – HGB); the German Tax Code (Abgabenordnung – AO); the Banking Act (Kreditwesengesetz – KWG); the Money Laundering Act (Geldwäschegesetz – GwG); and the Securities Trading Act (Wertpapierhandelsgesetz – WpHG). The records retention periods prescribed therein range from two to 10 years.
  • Preservation of evidence within the scope of statutes of limitations. Un- der section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may be up to 30 years, whereby the regular limitation period is three years.

7. What data protection rights do I have?

Every data subject has a right of access (article 15 GDPR), a right to rectification (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of access and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).

You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i.e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.

In principle, we do not use fully automated decision-making pursuant to Article 22 of the GDPR to justify and implement the business relationship. Should we use these procedures in individual cases, we will inform you separately if required by law.

Information on your right to object under article 21 of the EU General Data Protection Regulation (GDPR)

1. Ad hoc right to object


You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 (4) GDPR.
If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defense of legal claims.


2. Right to object to the processing of data for marketing purposes


In certain cases, we process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes. There are no formal requirements for lodging an objection; where possible it should be made by telephone to: +49 (069) 910 10000.

Data protection information under the EU General Data Protection Regulation

In addition to the above mentioned specific data protection information for online banking, the following data protection information under the EU General Data Protection Regulation also applies with regard to processing of personal data in connection with the use of bank products.

Deutsche Bank AG

If you are not satisfied with the data protection measures described here, or if you have any questions regarding the collection, processing and / or use of your personal data, we would be pleased to hear from you. We will do our best to answer your questions as quickly as possible and to implement your suggestions. Please direct your privacy issues to datenschutz.db@db.com, for other concerns please contact us at deutsche.bank@db.com.