Data protection

Data protection notice

The following information is to provide you with an overview of the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and how they are used depends largely on the services requested by or agreed with you. Therefore, not all of this information may apply to you.

Who is responsible for data processing and who can I contact?

Hoerner Bank AG
Oststrasse 77, 74072 Heilbronn, Germany
Tel.: +49 (0)7131 / 9322-0
info@hoernerbank.de

is responsible.

You can contact our company data protection officer at:

Hoerner Bank AG
Datenschutzbeauftragter
Oststrasse 77, 74072 Heilbronn, Germany
Tel.: +49 (0)7131 / 9322-0
datenschutzbeauftragter@hoernerbank.de

The contact information can also be found on the Internet at www.hoernerbank.de.

What sources and information do we use?
We process personal data that we receive from you in the course of our business relationship. In addition, we process – insofar as this is necessary for the provision of our services – personal data that are legitimately transmitted to us by other companies within the Hoerner Bank Group or by other third parties (e.g. General Credit Protection Agency, SCHUFA), (for example for the completion of mandates, fulfilment of contracts or on the basis of consent granted by you). We also process personal data that we have obtained legitimately, and are permitted to process, from publicly accessible sources (e.g. lists of debtors, deed registries, commercial and association registers, press, media, publicly accessible archives).

Relevant personal data are personal particulars (name, address and other contact data, date and place of birth, nationality), proof of identity data (e.g. identity card data) and authentication data (e.g. sample signature). In addition, this may also include mandate details (e.g. payment order, security order), data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions, credit limits), product data (e.g. deposit, loan and portfolio business), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. consultation records), registration data, data concerning your use of the tele media that we offer (e.g. times at which our website, apps or newsletter were accessed, our pages or entries clicked on) as well as other data comparable with the categories mentioned.

Why do we process your data (the reason for processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

1.To fulfil contractual obligations (Article 6 para. 1 b GDPR)
The processing of personal data (Article 4 No. 2 GDPR) takes place for the performance and mediation of banking transactions, financial services as well as insurance and real estate business, in particular in order to implement our contracts or pre-contractual measures with you and for the execution of your mandates, as well as all activities necessary within the scope of operating and managing a bank or financial services institute.

The purpose of data processing is primarily based on the actual product (e.g. account, loan, building society savings, securities, deposits, agency services, online banking) and can include needs analysis, consultation, asset management and support as well as the execution of transactions.

Please refer to the specific contractual documents and terms of business for further details regarding the reason for data processing.

2.In the context of balancing interests (Article 6 para. 1 f GDPR)
If need be, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of ourselves or third parties, for example in the following cases:

  • consultation of and the exchange of data with credit agencies (e.g. SCHUFA) for determining creditworthiness or credit risk and requirements for an account exempt from attachment or a basic account,
  • checking and optimising procedures for needs analysis and direct customer contact,
  • advertising or market and opinion research, as long as you have not objected to the use of your data,
  • ensuring the Bank’s IT security and operations,
  • prevention and investigation of criminal offences
  • video surveillance for the collection of evidence in the event of criminal offences or as proof of disposition and deposits. It thereby serves to protect the customers and employees as well as to safeguard domiciliary rights,
  • measures for building and system security (e.g. access controls),
  • measures to secure domiciliary rights,
  • measures for business management and the further development of services and products.

3.On the basis of your consent (Article 6 para. 1 a GDPR)
If you have provided us with your consent to process personal data for certain purposes (e.g. passing on your data within the Hoerner Bank Group, analysis of payment transaction data for marketing purposes), the legality of this processing exists on the basis of your consent. Consent can be revoked at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before May 25, 2018 – such as the SCHUFA clause, for example.

Please note that revocation is effective for the future only. Processing that already took place prior to revocation is not affected.

4.On the basis of statutory or legal requirements (Article 6 para. 1 c GDPR) or in the public interest (Article 6 para. 1 e GDPR)
In addition, as a bank we are subject to various legal obligations, i.e. statutory requirements (e.g. Credit Services Act, Money Laundering Act, Securities Trading Act, tax laws) and bank regulatory requirements (e.g. the European Central Bank, the European Banking Supervisory Authority, the German Federal Bank and the (German) Federal Financial Supervisory Authority). The reasons for processing include, among other things, checking creditworthiness, verification of identity and age, the prevention of fraud and money laundering, the fulfilment of fiscal control and reporting obligations as well as the evaluation and control of risks.

Who receives my data?
Within the bank, those that need your data to fulfil our contractual and legal obligations have access to it. The data processors (Article 28 GDPR) used by us may also receive data for these stated purposes. These are companies in the categories of credit services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.

With regard to the transfer of data to recipients outside our bank, it must first be noted that we are obliged to maintain confidentiality about all customer-related facts and assessments of which we gain knowledge in accordance with the general terms and conditions agreed between you and us (banking secrecy). We may only disclose information about you if required to do so by law, if you have given your consent or if we are authorized to disclose details of banking affairs. Under these conditions, recipients of personal data could be, for example:

  • public offices and institutions (e.g. the German federal bank, Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, financial authorities) in the event of a legal or official obligation,
  • other credit and financial services institutions or similar institutions to which we transmit personal data in order to carry out the business relationship (depending on the contract: e.g. correspondent banks, portfolio banks, stock exchanges, credit agencies).

Other recipients of data may be those bodies for which you have given us your consent to the transfer of data or for which you have exempted us from banking secrecy in accordance with an agreement or consent.

How long is my data saved for?
We process and store your personal data for the duration of our business relationship, which also includes development and implementation of a contract, for example. It should be noted here that our business relationship is a continuing obligation that is set up for years.

In addition, we are subject to various retention and documentation obligations arising from the (German) Commercial Code (HGB), Fiscal Code (AO), Credit Services Act (KWG), Money Laundering Act (GwG) and Securities Trading Act (WpHG). The periods for retention and documentation specified there range from two to ten years.

Ultimately, the retention period is also determined according to the statutory limitation periods, which according to §§ 195 et seq. of the German Civil Code (BGB) , for example, can generally be three years, but in certain cases also up to thirty years.

Will data be transferred to a third country or to an international organisation?
Data are only transmitted to third countries (countries outside the European Economic Area – EEA) if this is necessary to execute your mandates (e.g. payment and securities transactions), is legally prescribed, or if you have granted us your consent. We will inform you separately about details, as prescribed by law.

What data protection rights do I have?
Any persons affected shall have the right to information under Article 15 GDPR, the right to correction under Article 16 GDPR, the right to deletion under Article 17 GDPR, the right to limitation of processing under Article 18 GDPR and the right to data transfer under Article 20 GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right to deletion. In addition, there is a right of appeal to the responsible data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

Further, you have the right to object to the processing of personal data concerning you at any time for any reason arising from your particular situation under Article 6 para. 1 e GDPR (data processing in the public interest) and Article 6 para. 1 f GDPR (data processing on the basis of balancing interests). This also applies to profiling on the basis of this provision within the meaning of Article 4 No. 4 GDPR, which we use for assessing creditworthiness or for advertising purposes.

If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In individual cases we process your personal data in order to create direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling, insofar as this is in connection with such direct advertising.

If you object to the processing of your personal data for the purpose of direct advertising then your personal data will no longer be processed for this purpose.

Am I obligated to provide data?
Within the framework of our business relationship, you only have to provide those personal data which are required for the establishment, execution and termination of a business relationship or which we are legally obliged to collect. Without these data we will usually have to refuse the conclusion of the contract or the execution of the mandate or we will no longer be able to execute an existing contract and may possibly have to terminate it.

In particular, as per the regulations of money laundering law we are obliged to identify you before establishing the business relationship, for example on the basis of your identity card and to collect your name, place and date of birth, nationality and address. In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising over the course of the business relationship. If you do not provide us with the necessary information and documents, we are not permitted to enter into the business relationship requested by you.

Is my data used for automated decision making in individual cases?
We generally do not use fully automated decision making according to Article 22 GDPR for the establishment and implementation of the business relationship. If we use this procedure in individual cases, we will inform you about this separately and about your rights in this regard, insofar as this is prescribed by law.

To what extent is my data used for profiling (scoring)?
We process some of your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

  • on the basis of legal and regulatory requirements, we are obligated to combat money laundering, the financing of terrorism and asset-endangering crimes. In this regard, assessment of data (in payment transactions, amongst other things) is also effected. These measures also serve to protect you,
  • we use assessment tools in order to be able to provide you with targeted information and advice about products. These facilitate communication and advertising, including market and opinion research, based on requirements,
  • we use scoring within the scope of assessing your creditworthiness. This calculates the probability that a customer will fulfil their payment obligations according to contract. The calculation includes income level, outgoings, existing liabilities, profession, employer, length of employment, experience from the business relationship to date, repayment of previous loans according to contract as well as information from credit agencies. Scoring is based on a mathematically and statistically recognised and proven procedure. The calculated score values support us in decision-making within the scope of product contracts and are included in the current risk management.

Information on your right of objection

Right of objection on a case-by-case basis
You have the right to object to the processing of personal data concerning you at any time for any reason arising from your particular situation under Article 6 paragraph 1 e GDPR (data processing in the public interest) and Article 6 paragraph 1 f GDPR (data processing on the basis of balancing interests); including profiling within the meaning of Article 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right of objection with data processing for the purpose of direct advertising
In individual cases we process your personal data in order to create direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling, insofar as this is in connection with such direct advertising.

If you object to the processing of your personal data for the purpose of direct advertising then your personal data will no longer be processed for this purpose.

Receipt of an objection
The objection can be made in any form with the subject line “Objection” stating your name, your address and your date of birth and should be addressed to:

Hoerner Bank AG
Oststrasse 77, 74072 Heilbronn, Germany
Tel.: +49 (0)7131 / 9322-0
info@hoernerbank.de