BayernLB customer portal registration

Dear Sir or Madam,

In the following we would like to inform you about how we process your personal data and the entitlements and rights you have in accordance with the data protection regulations. The specific data that is processed and how it is used depends predominantly on the relevant personnel management processes.

1. Who is responsible for data processing and who can I contact?

The office responsible is:
Bayerische Landesbank
Anstalt des öffentlichen Rechts
Brienner Strasse 18
80333 Munich, Germany
Tel.: +49 89 2171-01
Fax: +49 89 2171-23579
E-mail: kontakt@bayernlb.de

You can contact our company’s data protection officer at:
Bayerische Landesbank
Anstalt des öffentlichen Rechts
Datenschutzbeauftragter
Brienner Strasse 18
80333 Munich
Germany
Tel.: +49 89 2171-01
E-Mail: Datenschutz.BayernLB@bayernlb.de

2. What sources and data do we use?

Personal data refers to any information relating to an identified or identifiable natural person. Processing personal data includes collecting, recording, structuring, saving, adapting or changing, reading out and retrieving this data. Furthermore, processing personal data also includes using, disclosing by means of transmission, dissemination or another form of provision, comparing or linking, restricting processing, deleting and destroying this data.

We process in particular the personal data, which we receive from customers or other data subjects as part of our business relationship. In addition, we process – as far as it is required for the provision of our services – personal data, which we have received lawfully from other companies in the Savings Banks Finance Group or other third parties (e.g. the German Creditors’ Protection Agency – SCHUFA), for example to carry out orders, fulfil contracts or as a result of consent you have provided. Furthermore, we process personal data, which we have obtained permissibly from publicly accessible sources (e.g. debtors’ list, registers of companies and associations, the press or the media) and are allowed to process. Relevant personal data is personal details (name, address and other contact details, date and place of birth and nationality), legitimation data (e.g. ID card details) and authentication data (e.g. specimen signature). It may also include order details (e.g. payment order, securities order), data from meeting our contractual obligations (e.g. turnover data relating to payment transactions), credit limits, product details (e.g. deposit, lending and custody business), information about your financial situation (e.g. credit standing, credit score/ rating data and origin of assets), advertising and sales data (including web scores), documentation data (e.g. investment advice form), registration data, data about your use of our telemedia offerings (e.g. time you called up our websites, apps or newsletters, and pages or content of ours that you have clicked on), and other data similar to the categories mentioned.

3. Why do we process your data (purpose of processing) and on what legal grounds?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz – BDSG) as amended:

3.1 To meet contractual obligations (Art. 6 para. 1 (b) GDPR)
We process personal data to perform and broker banking transactions, financial services, and insurance and real estate transactions, in particular to implement contracts or as part of pre-contractual activities and to execute orders, as well as all activities related to operating and managing a bank and financial services institution. The purpose for which data is processed is based principally on the specific product (e.g. account, loan, securities, deposits and brokerage) and may include needs analysis, consulting, asset management and execution of transactions. More details on the purposes of data processing can be found in the respective contract documents and other Business Conditions.

3.2 Considers legitimate interests (Art. 6 para. 1 (f) GDPR)
If required, we process your data in excess of that required to actually fulfil the contract to protect legitimate interests on our part or on the part of third parties. Examples of such processing of your personal data include:

• Consulting and sharing data with credit reference agencies (e.g. SCHUFA) to determine credit standing and default risk
• Checking and optimising needs analysis procedures for the purposes of targeting customers directly, including customer segmentation and calculating probabilities of default
• Conducting advertising, or market and opinion research, unless you have objected to your data being used
• Asserting legal claims and providing defence in legal disputes
• Ensuring IT security and the Bank’s IT operations
• Preventing and solving crimes
• Video surveillance to help the authorities gather proof of crimes and provides evidence of withdrawals and deposits, e.g. at ATMs. It helps protect customers and employees and allows it to safeguard its propertyowner rights
• Measures to ensure the security of buildings and equipment (e.g. access controls)
• Measures to ensure property-owner rights
• Measures to manage business and refine services and products.

3.3 As a result of your consent (Art. 6 para. 1 (a) GDPR)
If you have given us your consent to process personal data for certain purposes (e.g. sharing data within the Savings Banks Finance Group/BayernLB Group or analysing payments data for marketing purposes), your consent renders this processing lawful. Any consent granted can be withdrawn at any time. This also applies to withdrawing declarations of consent, which – such as the SCHUFA clause – were granted to us before the GDPR came into effect, i.e. before 25 May 2018. Please note that the withdrawal only applies in the future. Data processing that was performed before the withdrawal remains unaffected.

3.4 Due to legal requirements (Art. 6 para. 1 (c) GDPR) or in the public interest (Art. 6 para. 1 (e) GDPR)
In addition, we as a bank are subject to a range of statutory obligations, i.e. legal requirements (e.g. the German Banking Act, the German Money Laundering Act, the German Securities Trading Act and German tax law) and banking supervisory regulations (e.g. from the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority). The purposes of processing include, for example, credit assessments, verification of identity and age, prevention of fraud and money laundering, meeting controlling and reporting obligations under tax law, and evaluating and managing risk.

4. Who gets my data?

Within the Bank, units that need it to fulfil their contractual and legal obligations receive access to the data. With regard to passing on data to recipients outside the Bank, please note first of all that we are obliged to maintain confidentiality about all customer-related matters and statements of opinion that we gain knowledge of (banking secrecy) in accordance with the General Business Conditions agreed between you and us. We may only pass on information about you if legal provisions allow or enforce this, you have given your consent or we are authorised to issue a credit reference. Under these prerequisites, the following may be recipients of personal data:

• Public entities and institutions (e.g. Deutsche Bundesbank, the German Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank and tax authorities) if there is a statutory or regulatory obligation.
• Other banks and financial services institutions or comparable organisations to which we pass on personal data in order to execute the business relationship with you (depending on the contract, e.g. correspondent banks, custodians, stock exchanges and credit reference agencies).

The contract data processors we use (Article 28 GDPR) or other recipients may receive data for these purposes. Such companies may fall under the following areas, for example: commercial lending services, IT services, logistics, printing services, telecommunications, collection, advice and consulting, and sales and marketing. Additional recipients may be the offices with which you have given us your consent to share data and/or for which you have released us from banking secrecy pursuant to agreement or consent.

5. How long will my data be stored?

To the extent required, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract. It must be noted that our business relationship is a continuing obligation that is established for several years. Furthermore we are subject to various retention and documentation obligations, which stem partly from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The retention and documentation periods stipulated are generally between two and ten years.

As a result of external tax audits (section 193 AO), retention periods may also exceed ten years.

The duration of processing also takes account of the legal limitation periods. Under section 195 ff. of the Civil Code (BGB) these generally run for three years but are as long as 30 years in some cases.

6. Is data transferred to a third country or an international organisation?

Data is only transferred to a third country (countries outside the European Economic Area – EEA) if it is required to execute orders (e.g. payment and securities orders), it is required by law or you have provided us with your consent. If service providers in third countries are used, they are obligated to comply with the level of data protection in Europe by agreeing the EU standard contractual clauses, in addition to written instructions. We will inform you separately of details where legally required.

7. What rights of data protection do I have?

Every data subject has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure (“right to be forgotten”) pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The right of access and right of erasure are subject to the limitations of sections 34 and 35 BDSG. Furthermore the data subject has the right to lodge a complaint with a supervisory authority for data protection of their choice (Art. 77 GDPR in conjunction with section 19 BDSG).
You may withdraw consent granted to us to process personal data at any time. This also applies to withdrawing declarations of consent which were granted to us before the GDPR came into effect, i.e. before 25 May 2018. Please note that the withdrawal only applies in the future. Data processing that was performed before the withdrawal remains unaffected.

8. Am I obligated to provide data?

As part of our business relationship, only the personal data that is required to establish, perform and terminate a business relationship or that we are obliged by law to collect must be provided. Without this data, we will usually have to refuse to conclude a contract or to execute the order, or we will no longer be able to carry out an existing contract and may have to end it. In particular, the provisions of the German Money Laundering Act stipulate that, before establishing a business relationship, we have to identify you using your ID card and record your name, place of birth, date of birth, nationality and address. To enable us to meet this legal obligation, the German Money Laundering Act states that you must provide us with the requisite information and documents and must notify us of any changes arising in the course of the business relationship. If you do not provide us with the information and documents required, we are not permitted to enter into or continue the business relationship you wish to pursue.

9. To what extent is automated decision-making employed in individual cases?

We generally do not employ any decision-making procedure based solely on fully automated processing pursuant to Art. 22 GDPR to establish and execute the business relationship. If we should use this process in specific cases, you will be informed separately of this, providing this is required by law.

10. To what extent will my data be used for profiling (scoring)?

We process some of your data in an automated manner with the objective of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

• We are bound by legal and regulatory requirements to combat money laundering, terrorism financing and criminal acts jeopardising property. As part of this, we also perform data analysis (e.g. on payments transactions). These measures are simultaneously for your protection.
• We use analysis tools to provide you with targeted product information and advice. They enable needsbased communication and advertising, including market and opinion research.
• As part of assessing your credit standing, we use the credit score for retail customers and the rating for corporate customers. This is used to calculate the probability of the customer not meeting its payment obligations as contractually agreed. The calculation can include, for example, details of income, expenses, existing debts, job, employer, length of service, experience from previous business relationship, repayment of past loans in accordance with the contract and information from credit reference agencies. Additional data is taken into account for corporate customers, such as sector, annual net profit and financial situation. Scoring and rating are based on a recognised and proven mathematical-statistical method. The scores and ratings support us in making decisions regarding product sales and are incorporated into ongoing risk management.

Information about your right to object pursuant to Art. 21 of the General Data Protection Regulation (GDPR)

1. Objection on a case-by-case basis due to your specific situation You have the right to object at any time, for reasons arising from your specific situation, to processing of data relating to your person, which is performed based on Art. 6 para. 1 (e) GDPR (data processing carried out in the public interest) and Art. 6 para. 1 (f) GDPR (data processing based on consideration of legitimate interests); this also applies for profiling based on these provisions, within the meaning of Art. 4 No. 4 GDPR, which we use to evaluate credit standing or for marketing purposes. If you object, we will no longer process your personal data unless we can provide compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
2. Right to object to data processing for the purposes of direct marketing In specific cases we process your personal data to engage in direct marketing. You have the right at any time to object to your personal data being processed for the purpose of such marketing; this also applies to profiling, if it is connected with direct marketing. If you object to your data being processed for the purposes of direct marketing, we will no longer process your data for this purpose.

The objection does not require a specific form and should be addressed to the following:

Bayerische Landesbank
Anstalt des öffentlichen Rechts
Brienner Strasse 18
80333 Munich, Germany
Tel.: +49 89 2171-01
Fax: +49 89 2171-23579
E-mail: kontakt@bayernlb.de