Information about your rights as a user of this website
We, Deutsche Handelsbank AG (hereafter "Deutsche Handelsbank" or we/us), are happy that you are visiting our website. We are responsible for the content on this website.
With the information below, we would like to inform you (hereafter we may call you the User) about how we are implementing the stipulations of the EU General Data Protection Regulation (GDPR), how we are protecting your personal privacy, and how your personal information is processed in connection with your use of our website.
The GDPR grants you certain rights as a person affected by the processing of personal data, and we would like to inform you especially about these in the attachment to data protection information. We have also explained in this attachment the most important terminology used in our data protection information.
The information in this document is applicable to all users of our website. If you are a customer of ours, or if you register in some other way for one of the closed areas of our website, we may process additional or other data. Which data this involves and the purpose of its use, as well as how your data are protected, can be found in the applicable data protection information which are valid supplements to this document, and which you can look at when you register for these services.
If you consider the information below to be insufficient or unclear, please contact our data protection officer immediately. The contact details are below.
1. Who is responsible for data processing and who can I contact?
The office in charge is:
Deutsche Handelsbank AG
80687 Munich, Germany
Telephone: +49 89 244 157-200
If you have questions about this data protection information, please contact our data protection officer:
Deutsche Handelsbank AG
Data Protection Officer
80687 Munich, Germany
Telephone: +49 89 244 157-200
The regulatory authority responsible for us is:
Bayerischen Landesamt für Datenschutzsicherheit
P.O. Box 606
91511 Ansbach, Germany
Telephone: +49 981 53 1300
Fax: +49 981 53 98 1300
The authority also offers a complaint form.
2. General Principles and Data Protection Information
2.1 Scope of processing for personal data
In principle, we only collect and use personal data from users of our website if this is necessary to display a functional website and/or to present our contents and services via our web or online content (including mobile apps).
Normally, personal data are only collected and used for other purposes when:
- The user has agreed to this
- The processing is for the purpose of fulfilling a contract
- The processing is necessary to protect our legitimate interests, insofar as they are not outweighed by the affected person's interests or basic rights and freedoms that require protection for personal data.
Additionally, there is a valid exception in cases where it is not possible to obtain prior consent due to factual reasons, or where processing of the data is permitted by legal regulations.
2.2 Legal Basis
Insofar as we obtain prior consent for the processing of personal data, Art. 6 Para. 1a of the GDPR serves as the legal basis for processing personal data.
When processing personal data required to fulfil a contract with the affected person as a contractual party, Art. 6 Para. 1b GDPR is the legal basis. This legal basis also applies to processing that is required for pre-contractual measures or contract preparation.
Insofar as processing of personal data is required to fulfil a legal obligation to which we are subject, the legal basis is Art. 6 Para. 1c GDPR. For cases where vital interests of the affected person or another natural person require the processing of personal data, Art. 6 Para. 1d GDPR serves as the legal basis.
If the processing is required to protect our company's or a third party's legitimate interests, and if the interests, basic rights and basic freedoms of the affected person do not outweigh the first interest, then Art. 6 Para. 1f serves as the legal basis for processing.
2.3 Obtaining consent / Right of withdrawal
Consent according to Art. 6 Para. 1a GDPR is normally obtained electronically. Consent is typically given by placing a checkmark in the appropriate space for the purpose of documenting the giving of consent, or by clicking on an appropriate button.
In the case of electronic consent, a double opt-in process is used for the purpose of identifying the user (e.g. when signing up for newsletters). The content of the consent declaration is recorded electronically. We are happy to provide this to you on request.
Right of withdrawal: Please note that a given consent can be withdrawn in part or in full at any time with effect for the future; the legality of the processing which occurred due to consent prior to withdrawal shall remain unaffected. Please direct any withdrawal to the contacts listed in section 1 above (Data Protection Office or Officer).
2.4 Possible Recipients of Personal Data
To provide our web and online content, we sometimes use service providers who act on our behalf and according to our instructions as part of providing the service (tasked processors). These providers may receive or be in contact with personal data as part of providing the service, and are third parties or receivers according to the GDPR.
In such cases we ensure that our service providers offer sufficient guarantees that suitable technical and administrative measures are present and that processing is carried out in such a way that it is in compliance with the requirements of these guidelines and that the protection of rights for the affected person is guaranteed (cf. Art. 28 GDPR).
Insofar as personal data are transmitted to third parties outside of tasked processing, we ensure that this is exclusively in compliance with the requirements of the GDPR and only when there is a corresponding legal basis (see section 2.2). Insofar as such a transmission occurs, this will be expressly noted in the information below, giving the corresponding legal basis, and naming the third party recipient or category of recipients.
On request we would be glad to provide you with further information about the service providers that we use.
2.5 Data Processing in Non-EU Countries
Your personal data are normally always processed within the EU or the European Economic Area.
It is only possible in exceptional cases that information may be transmitted to non-EU countries (e.g. in connection with the use of providers of web analytics services). These countries are outside of the European Union and/or outside of the European Economic Area Agreement, where one cannot assume an appropriate level of data protection corresponding with the EU standard.
Insofar as the transmitted data also includes personal data, we ensure before transmission that the country or specific recipient in that country can guarantee an appropriate level of data protection. This can be ensured by an "Adequacy Decision" from the European Commission, or by the use of the "EU Standard Contract Clauses". In the case of recipients in the USA, compliance with the principles of the "EU-US Privacy Shield" can also ensure an appropriate level of data protection. On request, we would be glad to provide you with further information on the suitable and appropriate guarantees for compliance with an appropriate level of data protection. Contact details are listed in section 1. You can also find information about the participants in the EU-US Privacy shield here: www.privacyshield.go/list
2.6 Data deletion and duration of storage
We delete personal data as soon as the purpose of processing them ceases to exist. Data are only saved after this if such action is intended by European or national lawmakers in Union regulations, laws or other rules to which our company is subject (e.g. to fulfil legal record-keeping obligations and/or there exist legitimate interests in saving the data, e.g. during the period of statutes of limitations for the purpose of legal defence against any claims, or during an ongoing legal conflict). Data are also deleted when a prescribed and normed record-keeping obligation runs out, unless there is a necessity for continued saving of the data to complete a contract or for other purposes.
2.7 Rights of Affected Persons
The GDPR grants you certain rights as a person affected by the processing of personal data. If you would like to make use of one or more of these rights, you may contact one of our employees at any time. Please use the contact options listed under section 1. The rights of affected persons are explained individually and attached hereafter.
3. Data Processing for the Provision of the Website / Recording Log Data
3.1 Description and scope of the data processing
Each time our internet page is called up, our system automatically records data and information about the computer system from which the request is made. The following data are recorded (hereafter called "Log Data"):
- Information about the browser type and the version in use ("User Agent");
- The user's operating system
- The user's internet service provider
- The user's IP address
- Date, time, and duration of access
- Websites from where the user's system reaches our internet page ("Referrer")
- Websites accessed by the user's system from our website
These log data do not facilitate any personal connection to the user, except for the IP address. A personal connection can only be created by the allocation or connection of the log data to an IP address.
3.2 Purpose of data processing
Collecting and processing log data, particularly the IP address, is for the purpose of presenting the contents on our website to the user, i.e. for the purpose of communication between the user and our web/online content.
For the duration of each communication process, it is necessary temporarily to save the IP address. This is required to address the communication traffic between the user and our web/online content, and/or is necessary in order to make use of our web/online content.
Beyond this communication process, the IP address is also processed and saved in log files for the purpose of ensuring the functionality of our web/online contents, for the purpose of optimising these contents, and also to ensure the security of our IT systems.
We also analyse these data for statistical purposes. This is carried out in a summarised form and there is no tracing back to individual users.
3.3 Legal Basis
The legal basis for collecting and processing the log data, insofar as this is personal data, is Art. 6 Para. 1b GDPR (Contract fulfilment and preparation).
The legal basis for saving the IP address beyond the communication process is Art. 6. Para. 1f GDPR (Protecting legitimate interests).
3.4 Data deletion and duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of its collection. In cases where the data are recorded in order to display the website, this happens when the current session - the website visit - has ended. Beyond this, the log data including the IP address are saved for the purposes of system security for a period of maximum seven (7) days after the user stops accessing the page.
Saving or processing the log data beyond this is possible and permissible insofar as the user's IP address is deleted after the storage limitation of seven (7) days, or anonymised such that it is no longer possible to match the log data to an IP address.
3.5 Objection and removal options
The collection of log data is absolutely necessary for the display of the website, including saving the data in log files within the abovenamed limits. Therefore, there exists no option for the user to object.
An exception is applicable to processing the log data for analysis purposes. This is in compliance with section 6, depending on the web analytics tools in use and the type of data analysis (personally connected / anonymous / pseudonymous).
4.1 Description and scope of data processing
We use a) technically necessary cookies, b) analytics cookies, and c) third party provider cookies.
a) Technically necessary cookies are used to create more user-friendliness in our web/online content. Technically necessary cookies save the following data and transmit them to our systems:
- Language settings
- Information about the end user device / PC and its settings
- Login information
b) Analytics cookies (also called Session Cookies) are used to analyse the user's surfing behaviour within our web and/or online contents, for the purposes of advertising, market research, or analysis for appropriate arrangement of our content. The following data are collected via cookies and transmitted to our systems:
- Search terms entered
- Frequency of page accesses
- Use of website functions
The user data collected in this way are pseudonymised via technical arrangements. It is then no longer possible to match the data to the user requesting the access.
c) Third party provider cookies are provided by third parties and not from our web servers. This includes embedded "Like" buttons. When this is clicked, Facebook saves its own cookie in the user's browser. Third party provider cookies can never be searched or analysed by us. The third party providers are solely responsible for the use of such cookies; there is no possibility for us to influence them.
See section 6 with regard to the third party providers.
Most browsers accept cookies automatically. You may delete any previously set cookies on your end user device at any time, or set your browser to accept no cookies, which can lead to limitations on the functionality of our content. For details on how this works, please read the instructions for your browser or from your end user device manufacturer.
4.2 Purpose of data processing
- Applying language settings
- Remembering search terms
The user data collected via technically necessary cookies are not used to create user profiles.
Analytics cookies are used for the purpose to improve the quality of our website and its contents. Analytics cookies allow us to learn how the website is used, so that we can continually improve our contents (see above).
4.3 Legal basis
The legal basis for the use of technically necessary cookies is Art. 6 Para. 1b GDPR, insofar as the potential exists to create a personal connection to the user, and their use is necessary for the purposes of providing our web and/or online contents for the purposes of contract fulfilment, and additionally Art. 6 Para. 1f GDPR, because they are also used to protect legitimate interests for the purpose of providing web and/or online services.
The legal basis for processing personal data by using analytics cookies, insofar as the potential exists to create a personal connection to the user, when the user has given consent, is Art. 6 Para. 1a GDPR. If analytics cookies are used to create pseudonymous analyses, the legal basis is Art. 6 Para. 1f GDPR (Protection of legitimate interests).
4.4 Data deletion and duration of storage
The cookies are saved on the end user's device (smart device or PC) and transmitted from there to our websites. We differentiate between permanent cookies and session cookies. Session cookies are saved for the duration of a browser session and are deleted when the browser is closed. Permanent cookies are not deleted when the browser session is closed, but are saved for a longer period on the end user's device.
4.5 Objection and removal options
When accessing our website, users are informed about cookie use by way of an information banner that points to this data privacy information. The banner also collects the user's consent for the processing of personal data used in this context.
5.1 Description and scope of data processing
If you would like to take advantage of the newsletter we offer, we require a valid email address from you. To determine that you are the owner of the given email address or that its owner is willing to receive the newsletter, after the first step of registration we will send an automated email to the email address supplied (double opt-in). We only add the given email address to our list after newsletter registration is confirmed via a link in the confirmation email. We do not collect any other data beyond the email address and the information about confirming registration.
5.2 Purpose of data processing
Your data are processed exclusively for the purpose of sending the newsletter you have requested.
5.3 Legal basis
The legal basis for this processing is Art. 6 Para. 1a GDPR (Consent), which you give us when you request the newsletter.
5.4 Data deletion and duration of storage
We save the data for sending the newsletter, conditional on a deletion request, as long as we require the data for sending the newsletter. The data are therefore deleted when you unsubscribe from the newsletter or when we stop distributing the newsletter you have subscribed to.
5.5 Objection and removal options
You may unsubscribe from the newsletter at any time; additionally, the right of withdrawal applies, as explained attached below in section 10.
6. Web Analytics via Google Analytics
6.1 Description and purpose of web analytics
To optimise our websites and adjust to the changing habits and technical conditions of our users, we use tools for web analytics. In doing this we for example measure which elements are visited by users, whether the desired information is easy to find, etc. This information only becomes interpretable and meaningful when viewing a large group of users. To do this, the data are aggregated, i.e. summarised in larger units. This means we can adjust page design or optimise contents, for example if we determine that a significant proportion of visitors are using new technologies or find it difficult or impossible to find available information.
6.2 Google Analytics
We use the analytics software Google Analytics, a web analytics service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). Google Analytics uses a tracking cookie to recognise a returning user who has already visited our website in the past. The cookie is a small text file saved on your computer to enable an analysis of the progress of visits to our website (usage profiles). The tracking cookie lasts for one week. The information recorded by the cookie about your use of our website (including your IP address) is usually transmitted to a Google server in the USA and saved there. We have added the code "gat._anonymizeIp();" to Google Analytics to ensure that the recorded IP addresses are anonymised (IP masking).
Therefore, at our instruction, Google will shorten your IP address (the number assigned to your computer by your internet access provider) within the member states of the European Union or in other states contracted under the European Economic Area Agreement. The usage profiles created by Google Analytics are therefore anonymised, which means it is factually impossible to trace them back to a specific person. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google also complies with the data protection regulations of the US Safe Harbor agreement and is registered in the US Ministry of Trade Safe Harbor Program.
The usage profiles contain such information as length of visit, approximate geographic location, origin of visitor traffic, exit points and usage records. Google uses this information to analyse your use of our website, to create reports about website activity for us, and to provide us with other services related to the usage of our website and the internet. We delete the anonymised usage profiles recorded by Google after twelve months.
The IP address transmitted by Google Analytics from your browser is not combined with other data from Google. Google only transmits these data to third parties due to legal regulations or as part of their task of data processing.
By using our website you declare that you agree to the processing of the data collected about you by Google, and the above described method of data processing and the named purpose. You may prevent the cookies from being saved by changing your browser settings. However, we inform you that in this case you will not be able to use all the functions of our website. Beyond this, you may prevent the recording of the data created by the cookie with regard to your use of the website (including IP address) and prevent Google from processing these data, by downloading and installing the browser plugin available at this link: tools.google.com/dlpage/gaoptout. Alternatively to the browser add-on or within browsers on mobile devices, you can prevent recording by Google Analytics by clicking on the following link. An opt-out cookie is created that will in future prevent your data from being recorded when you visit this website. Deactivate Google Analytics.
You can find more information about Google Analytics and data protection at tools.google.com/dlpage/gaoptout and www.google.com/intl/de/policies/privacy/index.html.
7. Contact form and email contact
7.1 Description and scope of data processing
Our website includes a contact form which the user can use to contact us electronically. If the user takes advantage of this opportunity, the data entered in the form will be transmitted to us and saved. These data consist of:
- Last name, first name, title
- Telephone number, email address
- Subject, category of request
- Message text and any personal data you include in it
When the message is sent, the following data are also processed and saved:
- User's IP address
- Date and time sent
- Ticket number
Alternatively, it is possible to contact us using the email address given on our website. In this case, the personal data sent with the email will be saved by us. We never pass these data on to third parties, unless we have to contact third parties to process the query.
7.2 Purpose of data processing
The data are processed exclusively for the purpose of answering the query or the user's request. The other data collected during the sending process serve to prevent misuse of the contact form and to guarantee the security of our IT systems.
7.3 Legal basis
The legal basis for processing these data, insofar as the data processing is for the purpose of fulfilling a task or answering a customer query, is Art. 6 Para. 1b GDPR, no matter whether the contact is made via the contact form or via email.
When the user has given consent, Art. 6 Para. 1a is the corresponding legal basis.
The legal basis for collecting additional data during the sending process is Art. 6 Para. 1f GDPR; the legitimate interest here is prevention of misuse and ensuring system security (see above).
7.4 Data deletion and duration of storage
Query data are normally deleted as soon as they are no longer required to achieve the goal of its being collected. For personal information from the contact form and sent via email, this occurs when communication with the user has concluded and/or the user's query has been given a final answer. The communication is considered to have ended or to have a final answer when the circumstances allow it to be understood that the content has been clarified conclusively. Instead of deletion, these data are saved with a processing restriction, insofar as continued storage of the data is required for the reasons listed in section 2.6, that is, if the query or its contents are subject to legal or supervisory record-keeping obligations.
The additional personal information collected during the sending process is deleted after a period no longer than seven (7) days.
7.5 Objection and removal options
At any time users have the option to stop communicating with us and/or to withdraw their query, objecting to the corresponding use of their data. In such a case the communication cannot be continued. All personal data saved during contact initiation shall be deleted in this case, unless it is a requirement to save the data for the reasons listed in section 2.6.
We have taken the necessary technical and administrative security actions to protect your personal data from loss and misuse. Your data are saved in a secure operating environment in a certified computer centre in Germany which is not open to the public.
If you would like to contact us by email, we point out that the confidentiality of the transmitted information is not guaranteed. The content of emails may be viewed by third parties. We therefore recommend that if you need to send us confidential information, e.g. application documents, that you do so exclusively by post.
9. Changes to this data protection statement
For legal and/or organisational reasons, changes or adjustments will be necessary to our data protection statement. With regard to this, please take note of the current version of our data protection statement, to which you have automatic access by clicking on the appropriate link shown to you as part of the cookie consent query. Changes always apply to personal data collected in future. Protection of data we collect and save before the change shall remain unaffected.
10. Your rights as an affected person
The GDPR grants you certain rights as a person affected by the processing of personal data, and we inform you of these rights in the attachment to data protection information.
If you have questions about data protection, please contact us. It is best to use the following contact address:
Deutsche Handelsbank AG
Data Protection Officer
80687 Munich, Germany
Telephone: +49 89 244 157-200
Version: May 2018