Information about your rights as a user of this website
We are Deutsche Handelsbank AG (hereafter "Deutsche Handelsbank" or we/us), and we are happy that you are visiting our website. We are responsible for the content on this website.
With the information below, we would like to inform you (hereafter we may call you the User) about how we are implementing the stipulations of the EU General Data Protection Regulation (GDPR), how we are protecting your personal privacy, and how your personal information is processed in connection with your use of our website.
The GDPR grants you certain rights as a person affected by the processing of personal data, and we would like to inform you especially about these in the attachment below. We have also explained in this attachment the most important terminology used in our data protection information.
The information in this document is applicable to all users of our website. If you are a customer of ours, or if you register in some other way for one of the closed areas of our website, we may process additional or other data. Which data this involves and the purpose of its use, as well as how your data are protected, can be found in the applicable data protection information which are valid supplements to this document, and which you can look at when you register for these services.
If you consider the information below to be insufficient or unclear, please contact our data protection officer immediately. The contact details are below.
1. Who is responsible for data processing and who can I contact?
The office in charge is:
Deutsche Handelsbank AG
80687 Munich, Germany
Telephone: +49 89 244 157-200
If you have questions about this data protection information, please contact our data protection officer:
2B Advice GmbH
53227 Bonn, Germany
Telephone: +49 02 28 926 165 120
The regulatory authority responsible for us is:
Bayerischen Landesamt für Datenschutzsicherheit
91511 Ansbach, Germany
Telephone: +49 981 53 1300
Fax: +49 981 53 98 1300
The authority also offers a complaint form.
2. General Principles and Data Protection Information
2.1 Scope of processing for personal data
In principle, we only collect and use personal data from users of our website if this is necessary to display a functional website and/or to present our contents and services via our web or online content (including mobile apps).
Normally, personal data are only collected and used for other purposes when:
- The user has agreed to this
- The processing is for the purpose of fulfilling a contract
- The processing is necessary to protect our legitimate interests, insofar as they are not outweighed by the affected person’s interests or basic rights and freedoms that require protection for personal data.
Additionally, there is a valid exception in cases where it is not possible to obtain prior consent due to factual reasons, or where processing of the data is permitted by legal regulations.
2.2 Legal Basis
Insofar as we obtain prior consent for the processing of personal data, Art. 6 Para. 1a of the GDPR serves as the legal basis for processing personal data.
When processing personal data required to fulfil a contract with the affected person as a contractual party, Art. 6 Para. 1b GDPR is the legal basis. This legal basis also applies to processing that is required for pre-contractual measures or contract preparation.
Insofar as processing of personal data is required to fulfil a legal obligation to which we are subject, the legal basis is Art. 6 Para. 1c GDPR. For cases where vital interests of the affected person or another natural person require the processing of personal data, Art. 6 Para. 1d GDPR serves as the legal basis.
If the processing is required to protect our company’s or a third party’s legitimate interests, and if the interests, basic rights and basic freedoms of the affected person do not outweigh the first interest, then Art. 6 Para. 1f serves as the legal basis for processing.
2.3 Obtaining consent / Right of withdrawal
Consent according to Art. 6 Para. 1a GDPR is normally obtained electronically. Consent is typically given by placing a checkmark in the appropriate space for the purpose of documenting the giving of consent, or by clicking on an appropriate button.
In the case of electronic consent, a double opt-in process is used for the purpose of identifying the user (e.g. when signing up for newsletters). The content of the consent declaration is recorded electronically. We are happy to provide this to you on request.
Right of withdrawal: Please note that a given consent can be withdrawn in part or in full at any time with effect for the future; the legality of the processing which occurred due to consent prior to withdrawal shall remain unaffected. Please direct any withdrawal to the contacts listed in section 1 above (Data Protection Office or Officer).
2.4 Possible Recipients of Personal Data
To provide our web and online content, we sometimes use service providers who act on our behalf and according to our instructions as part of providing the service (tasked processors). These providers may receive or be in contact with personal data as part of providing the service, and are third parties or receivers according to the GDPR.
In such cases we ensure that our service providers offer sufficient guarantees that suitable technical and administrative measures are present and that processing is carried out in such a way that it is in compliance with the requirements of these guidelines and that the protection of rights for the affected person is guaranteed (cf. Art. 28 GDPR).
Insofar as personal data are transmitted to third parties outside of tasked processing, we ensure that this is exclusively in compliance with the requirements of the GDPR and only when there is a corresponding legal basis (see section 2.2). Insofar as such a transmission occurs, this will be expressly noted in the information below, giving the corresponding legal basis, and naming the third party recipient or category of recipients.
On request we would be glad to provide you with further information about the service providers that we use.
2.5 Data Processing in Non-EU Countries
Your personal data are normally always processed within the EU or the European Economic Area.
It is only possible in exceptional cases that information may be transmitted to non-EU countries (e.g. in connection with the use of providers of web analytics services). These countries are outside of the European Union and/or outside of the European Economic Area Agreement, where one cannot assume an appropriate level of data protection corresponding with the EU standard.
Insofar as the transmitted data also includes personal data, we ensure before transmission that the country or specific recipient in that country can guarantee an appropriate level of data protection. This can be ensured by an "Adequacy Decision" from the European Commission, or by the use of the "EU Standard Contract Clauses".
2.6 Data deletion and duration of storage
We delete personal data as soon as the purpose of processing them ceases to exist. Data are only saved after this if such action is intended by European or national lawmakers in Union regulations, laws or other rules to which our company is subject (e.g. to fulfil legal record-keeping obligations and/or there exist legitimate interests in saving the data, e.g. during the period of statutes of limitations for the purpose of legal defence against any claims, or during an ongoing legal conflict). Data are also deleted when a prescribed and normed record-keeping obligation runs out, unless there is a necessity for continued saving of the data to complete a contract or for other purposes.
2.7 Rights of Affected Persons
The GDPR grants you certain rights as a person affected by the processing of personal data. If you would like to make use of one or more of these rights, you may contact one of our employees at any time. Please use the contact options listed under section 1. The rights of affected persons are explained individually and attached hereafter.
3. Data Processing for the Provision of the Website / Recording Log Data
3.1 Description and scope of the data processing
Each time our internet page is called up, our system automatically records data and information about the computer system from which the request is made. The following data are recorded (hereafter called "Log Data"):
- Information about the browser type and the version in use ("User Agent");
- The user's operating system
- The user's internet service provider
- The user's IP address
- Date, time, and duration of access
- Websites from where the user's system reaches our internet page ("Referrer")
- Websites accessed by the user's system from our website
These log data do not facilitate any personal connection to the user, except for the IP address. A personal connection can only be created by the allocation or connection of the log data to an IP address.
3.2 Purpose of data processing
Collecting and processing log data, particularly the IP address, is for the purpose of presenting the contents on our website to the user, i.e. for the purpose of communication between the user and our web/online content. For the duration of each communication process, it is necessary temporarily to save the IP address. This is required to address the communication traffic between the user and our web/online content, and/or is necessary in order to make use of our web/online content.
Beyond this communication process, the IP address is also processed and saved in log files for the purpose of ensuring the functionality of our web/online contents, for the purpose of optimising these contents, and also to ensure the security of our IT systems.
We also analyse these data for statistical purposes. This is carried out in a summarised form and there is no tracing back to individual users.
3.3 Legal Basis
The legal basis for collecting and processing the log data, insofar as this is personal data, is Art. 6 Para. 1b GDPR (Contract fulfilment and preparation).
The legal basis for saving the IP address beyond the communication process is Art. 6. Para. 1f GDPR (Protecting legitimate interests).
3.4 Data deletion and duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of its collection. In cases where the data are recorded in order to display the website, this happens when the current session - the website visit - has ended. Beyond this, the log data including the IP address are saved for the purposes of system security for a period of maximum seven (7) days after the user stops accessing the page.
Saving or processing the log data beyond this is possible and permissible insofar as the user’s IP address is deleted after the storage limitation of seven (7) days, or anonymised such that it is no longer possible to match the log data to an IP address.
3.5 Objection and removal options
The collection of log data is absolutely necessary for the display of the website, including saving the data in log files within the abovenamed limits. Therefore, there exists no option for the user to object.
4.1 Description and scope of data processing
We use technically necessary cookies.
Technically necessary cookies are used to create more user-friendliness in our web/online content. Technically necessary cookies save the following data and transmit them to our systems:
- Language settings
- Information about the end user device / PC and its settings
- Login information
Most browsers accept cookies automatically. You may delete any previously set cookies on your end user device at any time, or set your browser to accept no cookies, which can lead to limitations on the functionality of our content. For details on how this works, please read the instructions for your browser or from your end user device manufacturer.
4.2 Purpose of data processing
- Applying language settings
- Remembering search terms
The user data collected via technically necessary cookies are not used to create user profiles.
4.3 Legal basis
The legal basis for the use of technically necessary cookies is Art. 6 Para. 1b GDPR, insofar as the potential exists to create a personal connection to the user, and their use is necessary for the purposes of providing our web and/or online contents for the purposes of contract fulfilment, and additionally Art. 6 Para. 1f GDPR, because they are also used to protect legitimate interests for the purpose of providing web and/or online services.
The legal basis for processing personal data by using analytics cookies, insofar as the potential exists to create a personal connection to the user, when the user has given consent, is Art. 6 Para. 1a GDPR. If analytics cookies are used to create pseudonymous analyses, the legal basis is Art. 6 Para. 1f GDPR (Protection of legitimate interests).
4.4 Data deletion and duration of storage
The cookies are saved on the end user’s device (smart device or PC) and transmitted from there to our websites. We differentiate between permanent cookies and session cookies. Session cookies are saved for the duration of a browser session and are deleted when the browser is closed. Permanent cookies are not deleted when the browser session is closed, but are saved for a longer period on the end user’s device.
4.5 Objection and removal options
When accessing our website, users are informed about cookie use by way of an information banner that points to this data privacy information. The banner also collects the user’s consent for the processing of personal data used in this context.
5. Contact form and email contact
5.1 Description and scope of data processing
Our website includes a contact form which the user can use to contact us electronically. If the user takes advantage of this opportunity, the data entered in the form will be transmitted to us and saved. These data consist of:
- Last name, first name, title
- Telephone number, email address
- Subject, category of request
- Message text and any personal data you include in it
When the message is sent, the following data are also processed and saved:
- User's IP address
- Date and time sent
- Ticket number
Alternatively, it is possible to contact us using the email address given on our website. In this case, the personal data sent with the email will be saved by us. We never pass these data on to third parties, unless we have to contact third parties to process the query.
5.2 Purpose of data processing
The data are processed exclusively for the purpose of answering the query or the user's request. The other data collected during the sending process serve to prevent misuse of the contact form and to guarantee the security of our IT systems.
5.3 Legal basis
The legal basis for processing these data, insofar as the data processing is for the purpose of fulfilling a task or answering a customer query, is Art. 6 Para. 1b GDPR, no matter whether the contact is made via the contact form or via email.
When the user has given consent, Art. 6 Para. 1a is the corresponding legal basis.
The legal basis for collecting additional data during the sending process is Art. 6 Para. 1f GDPR; the legitimate interest here is prevention of misuse and ensuring system security (see above).
5.4 Data deletion and duration of storage
Query data are normally deleted as soon as they are no longer required to achieve the goal of its being collected. For personal information from the contact form and sent via email, this occurs when communication with the user has concluded and/or the user’s query has been given a final answer. The communication is considered to have ended or to have a final answer when the circumstances allow it to be understood that the content has been clarified conclusively. Instead of deletion, these data are saved with a processing restriction, insofar as continued storage of the data is required for the reasons listed in section 2.6, that is, if the query or its contents are subject to legal or supervisory record-keeping obligations.
The additional personal information collected during the sending process is deleted after a period no longer than seven (7) days.
6.5 Objection and removal options
At any time users have the option to stop communicating with us and/or to withdraw their query, objecting to the corresponding use of their data. In such a case the communication cannot be continued. All personal data saved during contact initiation shall be deleted in this case, unless it is a requirement to save the data for the reasons listed in section 2.6.
We have taken the necessary technical and administrative security actions to protect your personal data from loss and misuse. Your data are saved in a secure operating environment in a certified computer centre in Germany which is not open to the public.
If you would like to contact us by email, we point out that the confidentiality of the transmitted information is not guaranteed. The content of emails may be viewed by third parties. We therefore recommend that if you need to send us confidential information, e.g. application documents, that you do so exclusively by post.
7. Changes to this data protection statement
For legal and/or organisational reasons, changes or adjustments will be necessary to our data protection statement. With regard to this, please take note of the current version of our data protection statement, to which you have automatic access by clicking on the appropriate link shown to you as part of the cookie consent query. Changes always apply to personal data collected in future. Protection of data we collect and save before the change shall remain unaffected.
8. Your rights as an affected person
The GDPR grants you certain rights as a person affected by the processing of personal data, and we inform you of these rights in the attachment below.
If you have questions about data protection, please contact us. It is best to use the following contact address:
Datenschutzbeauftragter / Data Protection Officer
80687 Munich, Germany
Version: September 2022