Data Protection Regulation (GDPR) - Guidelines for customers

The responsible party is:

Landesbank Hessen-Thüringen Girozentrale (public-law institution)
The Board of Managing Directors
Neue Mainzer Strasse 52- 58
60311 Frankfurt am Main
Germany
T +49 69 / 91 32 - 01

Our Data Protection Officer can be reached at:

Landesbank Hessen-Thüringen Girozentrale
Datenschutzbeauftragter
Strahlenbergerstr. 11
63067 Offenbach
Germany
T +49 69 / 91 32 - 01
E-Mail: datenschutz@helaba.de

We process personal data that we receive from our clients or other data subjects within the scope of our business relations. Furthermore, if necessary for rendering our services, we process personal data lawfully obtained from publicly available sources (e. g. public list of debtors, cadastral register, commercial register, public media, Internet) or that have been lawfully provided to us by other companies of Sparkassen-Finanzgruppe (SFG) as our network partner or other third parties (e. g. credit agency).

Relevant personal data are particulars (name, address and other contact data, date and place of birth and nationality), identification data (e. g. passport/ID-data) authentification data (e. g. signature sample), the rights to dispose of accounts and authorities to sign. Moreover, they can be order data (e. g. payment order, security order), data resulting from fulfilling our contractual obligations (e. g. revenue data from payment transactions), credit limit, product data (e. g. deposit and credit transactions), information about your financial situation (credit score, origin of assets, influence on and control of legal persons if applicable), advertising and sales data (including advertising scores), documentation data (e. g. minutes of consultings), register data, log data generated during use of IT systems (e. g. time of web site, app or newsletter visits, accessed Helaba web sites) as well as other data similar to the mentioned categories.

We process personal data in accordance with the requirements of the European General Data Protection Regulations (GDPR) and other legal regulations if applicable.

a) To perform a contract (Art. 6(1)(b) GDPR)

Personal data are processed (Art. 4, No. 2 GDPR) for the purposes of providing and brokering banking and financial services as well as insurance and real estate services, especially for performing our contracts or pre-contractual measures with you and the execution of your orders as well as all activities required in the context of operating and managing a financial services institution. The purposes of data processing largely depend on the product (e. g. account, deposit, loans and certificates of debt, building-saving, securities (deposit and trade), the issue of bonds and certificates, structured financial products, leasing, factoring, and securitization of claims), and can include requirements analyses, consultations, asset management as well as performing complex financial transactions within a consortium. For further details regarding the purpose of processing, please see the relevant contract documentations and terms and conditions.

b) Based on a representation of interests (Art. 6(1)(f) GDPR)

• to consult and exchange data with credit agencies in order to assess credit and default risks associated with the credit Business
• to verify and optimize procedures for requirement analyses for direct sales approach
• advertising or market and opinion research unless you have objected to this use of your data
• to exercise and defend legal claims in case of legal disputes
• to ensure proper data processing in accordance with IT security and data protection requirements (e.g. log files)
• to guarantee system security and availability
• to prevent and investigate crimes
• video surveillance in order to exercise property rights, to collect evidence in case of robbery or fraud or as proof of transactions and deposits e. g. at the ATM
• measures for the security of buildings and facilities (e. g. access controls
• measures to exercise property rights
• measures for business development and enhancement of services and products
• risk control within Helaba

c) Based on your consent (Art. 6(1)(a) GDPR)

If you have consented to our processing of your personal data for specific purposes (e. g. transfer of data within Helaba, analysis of payment messaging data for marketing purposes, pictures at events, newsletter dispatch) such processing is automatically lawful by reason of your consent. Consent may be withdrawn at any time. The same applies to any declarations of consent you may have signed before 25 May 2018 (when the GDPR enters into force). In addition, consent can only be withdrawn for future processing operations and withdrawal of consent does not affect processing operations already carried out.

d) Based on legal obligations (Art. 6(1)(c) GDPR) or public interest (Art. 6(1)(e) GDPR)

We are also subject to various legal obligations, i.e. statutory requirements which involve data processing (e. g. banking act, money-laundering act, securities trading act, tax laws) as well as banking supervisory rules (e. g. European Central Bank, European Banking Regulator, Financial Conduct Authority, Prudential Regulatory Authority). Purposes of processing can be, for example, credit assessments, identity and age verifications, prevention of fraud and money-laundering, fulfilment of fiscal monitoring and reporting obligations as well as risk control within Helaba.

Within Helaba, personal data is received by those bodies that require the data in order to comply with our contractual and legal obligations. For this reason, we may also use various service providers (Art. 28 GDPR), if they maintain banking confidentiality in particular. These are companies in the categories credit and financial services, IT services, logistics, print services, telecommunication services, debt collection, advice and consultancy and distribution and marketing.

Regarding the transfer of personal data to recipients outside Helaba, it is of particular importance that Helaba, as a bank, is obliged to maintain confidentiality concerning all customer-related facts and assessments of which we become aware. Helaba may only disclose information concerning the customer if it is legally required to do so or if the customer has consented or if the Bank is authorized to disclose banking affairs. With these preconditions the recipients of personal data may include:

• public authorities and institutions (e. g. European Central Bank, European Banking Regulator, Financial Conduct Authority, Prudential Regulatory Authority, tax authorities) where a legal or official obligation exists
• other banks and financial services institutions or similar organizations that receive personal data from us in connection with our business relation with you (depending on contract e. g. correspondence banks, custodian banks, stock exchanges, credit agencies),
• other companies within Helaba for risk control purposes due to legal or administrational obligations
• third parties involved in the credit approval process (e. g. building societies, consortium banks, investors (e. g. capital management companies, pension funds, insurance companies), investment companies, funding institutions, fiduciaries, companies providing value assessments),
• external processors.

Other data recipients may be the companies to which we transfer data with your consent or for which you have released us from banking confidentiality by arrangement or consent or that may, after a weighing of interests, receive personal data from us.

A transfer of data to offices in countries outside the European Union (so-called third countries) takes place, as far as

• it is required to complete your orders (e. g. payment and securities orders),
• it is required by law (e. g. tax reporting obligations) or
• you have given us your consent.

Furthermore, a transfer to third countries is foreseen in the following cases:
If required in individual cases, your personal information may be transferred to an IT service provider in the United States or other third country to ensure the IT operations of the Bank, in compliance with European data protection standards.
In individual cases, personal data (such as legitimacy data) will be transmitted in compliance with the data protection level of the European Union, with the consent of the person concerned or by means of legal provisions to combat money laundering, terrorist financing and other criminal acts and in the context of a balance of interests.

We process and store your personal data as long as this is necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a permanent debt, which is designed for years.
If the data are no longer required for the fulfillment of contractual or legal obligations, these are regularly deleted, unless their temporary processing is necessary for the following purposes:
Fulfillment of commercial and tax retention obligations, e. g. can result from: Commercial Code, Tax Code, Banking Act, Money Laundering Act and Securities Trading Act. The deadlines for storage and documentation specified there are usually two to ten years.
Preservation of evidence in the context of the statutory statute of limitations. According to §§195 et seq. Of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular period of limitation is 3 years.

Each data subject has the right to information under Article 15 of the GDPR, the right of correction under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. In addition, there is a right of appeal to a competent data protection supervisory authority.

Consent may be withdrawn at any time. The same applies to any declarations of consent you may have signed before 25 May 2018 (when the GDPR enters into force).

In addition, consent can only be withdrawn for future processing operations and withdrawal of consent does not affect processing operations already carried out.

As part of our business relationship, you must provide the personal information necessary to initiate, conduct and terminate a business relationship and to perform the related contractual obligations, or we are required to collect it by law. Without this data, we will generally be unable to conclude, execute and terminate a contract with you.

In particular, we are obliged under the money laundering regulations and the tax code to identify the contracting party and the beneficial owner on the basis of the identification document prior to establishing the business relationship or opening an account, thereby collecting name, place of birth, date of birth, nationality, address and identification data and hold on. In order for us to be able to fulfill this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and immediately notify us of any changes resulting from the business relationship. If you do not provide us with the necessary information and documents, we may not take up or continue the business relationship you have requested.

In principle, we do not use fully automated decision-making in accordance with Article 22 of the GDPR to justify and implement the business relationship. If we use these procedures in individual cases, we will inform you about this and about your respective rights separately, if this is prescribed by law.

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism and property-related offenses. At the same time, data evaluations (among others in payment transactions) are carried out. These measures also serve your protection.

In the context of assessing your creditworthiness, we use the scoring for private customers. This calculates the probability with which a customer will meet its payment obligations in accordance with the contract. For example, the calculation may include income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognized and proven procedure. The calculated score values ​​help us to make decisions in the context of product deals and are part of ongoing risk Management.

The objection can be form-free with the subject "objection" stating your name, address and date of birth and should be addressed to:

Landesbank Hessen-Thüringen Girozentrale
Data protection officer
Strahlenbergerstr. 11
63067 Offenbach
Germany
T +49 69 / 91 32 - 01
E-Mail: dtnschtzhlbd