The protection of your data is important to us

We are pleased about your interest in our company and our products or services and would like you to feel safe when visiting our Internet pages, also with regard to the protection of your personal data. Because we take the protection of your personal data very seriously. It goes without saying that we comply with the provisions of the Basic Data Protection Regulation and the BDSG-New.

We want you to know when we collect which data and how we use them. We have taken technical and organisational measures to ensure that the regulations on data protection are observed both by us and by external service providers commissioned by us.

Data collection on this website

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may be data that you enter in a contact form, for example.

Other data is automatically collected by our IT systems when you visit the website. These are mainly technical data (e.g. Internet browser, operating system or time of the page call). This data is collected automatically as soon as you enter this website.

How do we use your data?

Part of the data is collected to ensure that the website is provided without errors. Other data can be used to analyse your user behaviour.

External Hosting

This website is hosted by an external service provider (Hoster). The personal data collected on this website is stored on the hoster's servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated by a website. The use of the hoster is for the purpose of fulfilling a contract with our potential and existing customers (Art. 6 para. 1 lit. b DSGVO) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f DSGVO). Our hoster will only process your data to the extent necessary to fulfil its performance obligations and will follow our instructions with regard to this data.

Conclusion of a contract on order processing

In order to guarantee data protection compliant processing, we have concluded a contract for order processing with our host.

Personal data

Personal data is information about your identity. This includes information such as name, address, telephone number, e-mail address. This information is always processed in accordance with the requirements of the basic data protection regulation and other data protection regulations applicable to our company.

In principle, it is not necessary for you to disclose personal data in order to use our website. In certain cases, however, it may be necessary to process personal data, for example in order to provide the services you have requested.

The same applies, for example, to the sending of information material and ordered goods or to answer individual questions. Where this is necessary, we will inform you accordingly.

If there is no legal basis for processing this personal data, we will obtain your corresponding consent.

In addition, we only store and process data that you provide us voluntarily and, if applicable, data that we automatically collect when you visit our Internet pages (e.g. your IP address and the names of the pages you visit, the browser and operating system you use, date and time of access, search engines used, names of downloaded files).

If you make use of services, as a rule only such data is collected as we need to provide the services. If we ask you for further data, this information is voluntary. Personal data is processed exclusively for the purpose of providing the requested service and to protect our own legitimate business interests.

Data that can be processed when you visit our website:

  • Master data (names, addresses, etc.)
  • Content data (texts, photos, videos, etc.)
  • Contact data (e-mail, phone numbers, etc.)
  • Metadata (IP addresses, device information, etc.)
  • Usage data (visited contents, access times, etc.)

Affected persons are the users of our online offer.

Name and address of the person responsible

The person responsible within the meaning of the basic data protection regulation, other data protection laws applicable in the EU member states and other data protection regulations is

Fondsdepot Bank GmbH
Windmühlenweg 12, 9503 Hof, Germany
Phone: +49 (0) 9281 7258 0
e-mail: info(at)fondsdepotbank.de

Designation of a data protection officer

The contact details of our data protection officer are as follows:

Mr. Mario Arndt,
DEUDAT GmbH, Zehntenhofstr. 5b, 65201 Wiesbaden
Phone: +49 611 950008-40
Fax: +49 611 950008-59
e-mail: datenschutz(at)fondsdepotbank.de

Our data protection officer is available at any time to answer all your questions and suggestions regarding data protection.

Please direct inquiries that should reach the Data Protection Officer alone and not the Data Protection Team to fondsdepotbank(at)deudat.de.

Information on data transfer to the USA and other non-EU countries

Among other things, we use tools of companies domiciled in the United States or other from a data protection perspective non-secure non-EU countries. If these tools are active, your personal data may potentially be transferred to these non-EU countries and may be processed there. We must point out that in these countries, a data protection level that is comparable to that in the EU cannot be guaranteed. For instance, U.S. enterprises are under a mandate to release personal data to the security agencies and you as the data subject do not have any litigation options to defend yourself in court. Hence, it cannot be ruled out that U.S. agencies (e.g., the Secret Service) may process, analyze, and permanently archive your personal data for surveillance purposes. We have no control over these processing activities.

Earmarked use

We will collect, process and use the personal data you provide online only for the purposes communicated to you. Your personal data will not be passed on to third parties without your express consent.

Surveys of personal data and their transmission to state institutions and authorities entitled to receive information are only carried out within the framework of the relevant laws or if we are obliged to do so by a court decision. Our employees and the service companies commissioned by us are obliged by us to maintain secrecy and to comply with the provisions of the basic data protection regulation.

Data that is automatically collected when you visit our website

When you use our Internet pages, the following data is stored for organisational and technical reasons: the names of the pages you call up, the browser you use and your operating system, date and time of access, search engines used, names of downloaded files and your IP address.

The information collected is needed to deliver the contents of our website correctly. In addition, we evaluate this technical data anonymously and only for statistical purposes in order to continuously optimize our Internet presence and to make our Internet offers even more attractive, as well as to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. This data is stored separately from other personal information on secure systems. Conclusions about individual persons are not drawn. Information from log files is stored for a period of seven days and deleted immediately after the storage period has expired. Should storage beyond this period become necessary, for example for reasons of evidence, this data is excluded from deletion until the respective matter has been settled. The processing is based on our legitimate interest in an efficient and secure provision of our website in accordance with Art. 6 para. 1 lit. f. in conjunction with Art. 28 DSGVO.

Contact details

If you contact us by e-mail, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass these data on without your consent.

These data are processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is required for the performance of pre-contractual measures. In all other cases, the data are processed on the basis of our legitimate interest in the effective handling of inquiries submitted to us (Art. 6(1)(f) GDPR) or on the basis of your consent (Art. 6(1)(a) GDPR) if it has been obtained.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

Rights of data subjects

Information about, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right to at any time demand information about your archived personal data, their source and recipients as well as the purpose of the processing of your data. You may also have a right to have your data rectified or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at any time.

Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time. The right to demand restriction of processing applies in the following cases:

  • In the event that you should dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.
  • If the processing of your personal data was/is conducted in an unlawful manner, you have the option to demand the restriction of the processing of your data in lieu of demanding the eradication of this data
  • If we do not need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand the restriction of the processing of your personal data instead of its eradication
  • If you have raised an objection pursuant to Art. 21(1) GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.
  • If you have restricted the processing of your personal data, these data – with the exception of their archiving – may be processed only subject to your consent or to claim, exercise or defend legal entitlements or to protect the rights of other natural persons or legal entities or for important public interest reasons cited by the European Union or a member state of the EU.

Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

Right to object to the collection of data in special cases; right to object to direct advertising (Art. 21 GDPR)

IN THE EVENT THAT DATA ARE PROCESSED ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS ARISING FROM YOUR UNIQUE SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. TO DETERMINE THE LEGAL BASIS, ON WHICH ANY PROCESSING OF DATA IS BASED, PLEASE CONSULT THIS DATA PROTECTION DECLARATION. IF YOU LOG AN OBJECTION, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE ARE IN A POSITION TO PRESENT COMPELLING PROTECTION WORTHY GROUNDS FOR THE PROCESSING OF YOUR DATA, THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS OR IF THE PURPOSE OF THE PROCESSING IS THE CLAIMING, EXERCISING OR DEFENCE OF LEGAL ENTITLEMENTS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS BEING PROCESSED IN ORDER TO ENGAGE IN DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR AFFECTED PERSONAL DATA FOR THE PURPOSES OF SUCH ADVERTISING AT ANY TIME. THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS AFFILIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT ADVERTISING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to log a complaint with the competent supervisory agency

In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory agency, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

Right to data portability

You have the right to demand that we hand over any data we automatically process on the basis of your consent or in order to fulfil a contract be handed over to you or a third party in a commonly used, machine readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

Automated decision making

As a responsible company, we do not carry out automated decision making or profiling.

Duration of storage

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, the deletion will take place after these reasons cease to apply.

Legal basis of the processing

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9 (2)(a) GDPR, if special categories of data are processed according to Art. 9 (1) DSGVO. In the case of explicit consent to the transfer of personal data to third countries, the data processing is also based on Art. 49 (1)(a) GDPR. If you have consented to the storage of cookies or to the access to information in your end device (e.g., via device fingerprinting), the data processing is additionally based on § 25 (1) TTDSG. The consent can be revoked at any time. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required for the fulfillment of a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Furthermore, the data processing may be carried out on the basis of our legitimate interest according to Art. 6(1)(f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

Provision of personal data

In some cases, the provision of personal data is required by law or contract. For this reason, it may be necessary, for example, for the conclusion of a contract, for you to provide us with personal data which must be processed by us. For example, you are obliged to provide personal data in order to conclude a contract. Failure to do so would mean that the contract cannot be concluded.

Before providing personal data, you can contact our data protection officer. He will inform you whether the provision of personal data is required by law or by contract in each individual case and what the consequences would be if the data were not provided.

Security

As the data controller, we have taken technical and organisational security measures in accordance with Art. 32 DSGVO. These include in particular measures to ensure the confidentiality, integrity and availability of data. In addition, we have established processes to ensure the rights of data subjects, the deletion of personal data and an immediate response to any threat to such data. In addition, we ensure the protection of personal data already during the development and selection of hardware and software in accordance with the principles of Art. 25 DSGVO. All our employees and all persons involved in data processing are obliged to comply with the basic data protection regulation and other laws relevant to data protection and to handle personal data confidentially.

In the case of the collection and processing of personal data, the information is transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in line with technological developments.

Nevertheless, Internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed.

Changes to our privacy policy

We reserve the right to change our security and data protection measures if this becomes necessary due to technical developments. In these cases we will also adapt our data protection information accordingly. Therefore, please note the current version of our data protection declaration.

Links

If you use external links that are offered within the framework of our Internet pages, this data protection declaration does not extend to these links. Insofar as we offer links, we assure you that at the time of setting the link, no violations of applicable law were discernible on the linked Internet pages. However, we have no influence on the compliance with data protection and security regulations by other providers. Therefore, please inform yourself on the websites of the other providers about the data protection declarations provided there.

Use of Chatbots

We use chatbots to communicate with you. Chatbots have the capability to respond to your questions and other entries without the assistance of humans. To do this, chatbots analyze your entries and other data to give matching responses (e.g., names, email addresses and other contact information, customer numbers and other identification, orders, and chat progresses). The chatbot can also register your IP address, log files, location information and other meta data. The data is archived on the servers of the chatbot provider.

It is possible to generate user profiles based on the recorded data. Moreover, the data can be used to display interest-related advertising if the other legal requirements are met (in particular if consent has been obtained). Moreover, it is possible to link chatbots to analytical and advertising tools.

The recorded data can also be used to improve our chatbots and their response patterns (machine learning).

We or the chatbot operator retain the data you enter until you ask us to delete it, revoke your consent to archive it or if the purpose for the data storage is no longer in effect (e.g., once your inquiry has been fully processed). This does not affect mandatory statutory provisions – in particular, retention time frames.

The legal basis for the use of chatbots is Art. 6(1)(b) GDPR, if the chatbot is used to negotiate a contract or in conjunction with the fulfillment of a contract. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time. In all other cases, the use is based on our legitimate interest in the most effective client communication possible (Art. 6(1)(f) GDPR).

We use the following chatbots:
Salesforce Chatbot
The provider is salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 München (hereinafter referred to as “Salesforce”).
The Salesforce chatbot processes all information you have entered in conjunction with the interaction as well as other available data, such as contact information (e.g., email address and phone numbers), order data, order progressions, previous customer inquiries as well as customer numbers and other identifiers.

The data processed in conjunction with communications is stored on Salesforce’s servers. This means that data may also be transferred to the parent company of salesforce.com Germany GmbH, specifically salesforce.com inc., Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA. Salesforce has Binding Corporate Rules (BCR) in place, which have been approved by the French Data Protection Agency. These are binding intra-corporate provisions that legitimize the in-company transfer of data to non-EU countries outside of the EU and the EEZ. For details, please click here: www.salesforce.com/de/blog/2020/07/die-binding-corporate-rules-von-salesforce-erfuellen-hoechste-da.html.
The Salesforce Data Privacy Policy can be found here: www.salesforce.com/de/company/privacy/.
Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Cookies

Our websites and pages use what the industry refers to as “cookies.” Cookies are small text files that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or they are permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them, or they are automatically eradicated by your web browser.

In some cases, it is possible that third-party cookies are stored on your device once you enter our site (thirdparty cookies).

Cookies have a variety of functions. Many cookies are technically essential since certain website functions would not work in the absence of the cookies (e.g., the shopping cart function or the display of videos). The purpose of other cookies may be the analysis of user patterns or the display of promotional messages.

Cookies, which are required for the performance of electronic communication transactions (required cookies) or for the provision of certain functions you want to use (functional cookies, e.g., for the shopping cart function) or those that are necessary for the optimization of the website (e.g., cookies that provide measurable insights into the web audience), shall be stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is cited. The operator of the website has a legitimate interest in the storage of cookies to ensure the technically error free and optimized provision of the operator’s services. If your consent to the storage of the cookies has been requested, the respective cookies are stored exclusively on the basis of the consent obtained (Art. 6(1)(a) GDPR and § 25 (1) TTDSG); this consent may be revoked at any time.

You have the option to set up your browser in such a manner that you will be notified any time cookies are placed and to permit the acceptance of cookies only in specific cases. You may also exclude the acceptance of cookies in certain cases or in general or activate the delete function for the automatic eradication of cookies when the browser closes. If cookies are deactivated, the functions of this website may be limited.

In the event that third-party cookies are used or if cookies are used for analytical purposes, we will separately notify you in conjunction with this Data Protection Policy and, if applicable, ask for your consent.

Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your terminal device or to the use of certain technologies and to document this consent in accordance with data protection law. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, website: usercentrics.com/de/ (hereinafter "Usercentrics").
When you enter our website, the following personal data is transferred to Usercentrics:

  • Your consent(s) or revocation of your consent(s).
  • Your IP address
  • Information about your browser
  • Information about your terminal device
  • Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consent(s) given or their revocation to you. The data collected in this way is stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.
Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c DSGVO.

Order processing
We have concluded an order processing agreement (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that this provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the DSGVO.

CCM19

Our website uses CCM19 to obtain your consent for the storage of certain cookies on your device or for the use of specific technologies and to document the former in a data protection compliant manner. The provider of this technology is Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany (hereinafter referred to as “CCM19”).

When you access our website, a connection with the servers of CCM19 is established to obtain your consent and other declarations related to the use of cookies. Subsequently, CCM19 will store a cookie in your browser to be able to allocate the granted consent or revocation. The data generated using this system will be archived by us until you ask us to delete it, delete the CCM19 cookie yourself or the purpose for the archiving of the data no longer applies. This shall be without prejudice to any mandatory statutory archiving periods.

We use CCM19 to obtain the consent mandated by law for the use of cookies. The legal basis for this is Art.6 (1)(1)(f) GDPR.

Data processing

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. These data are recorded on the basis of Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the technically error-free presentation and optimisation of his website - for this purpose the server log files must be recorded.

Children and young people

Persons under 16 years of age should not transmit any personal data to us without the consent of their parents or legal guardians. We do not request personal data from children and young people, do not collect such data and do not pass it on to third parties.

Applications

You can send us your data, as far as available on our online offer, via contact form. This is done, in cooperation with "softgarden e-recruiting GmbH", by means of a state-of-the-art encryption procedure. If you send us your applicant data via e-mail, we ask you to note that e-mails are not sent encrypted and that you as applicant have to take care of encryption yourself. For this reason, we cannot assume any responsibility for the transmission of your data in this way and therefore recommend that you use the postal service, as in addition to sending the documents by e-mail or online form, there is also the possibility of sending us documents in this way.

If the application for one of our job offers is not successful, your data will be deleted after six months, unless you have declared a justified revocation before the end of this period or have given us your consent to store the data for a period exceeding this period. This is necessary in order to be able to fulfil our obligation to provide evidence under the General Equal Treatment Act if necessary. If you have submitted invoices for the reimbursement of travel expenses to us, these will be stored in accordance with the statutory provisions and deleted after the expiry of statutory storage periods.

We will process the data you have made available to us exclusively for the purpose of processing the application procedure. This takes place on the basis of Art. 6 Para. 1 lit. b) DSGVO, or if processing in legal proceedings becomes necessary, on the basis of Art. 6 Para. 1 lit. f) DSGVO and § 26 BDSG. Should you also voluntarily provide us with special personal data, such as health data, we process this data on the basis of Art. 9 Para. 2 lit. a) DSGVO. If this is necessary for the intended exercise of the profession, we request special categories of personal data on the basis of Art. 9 Para. 2 lit. b) DSGVO.

pushTAN app of Fondsdepot Bank GmbH

As of August 2019

1 The application

Fondsdepot Bank GmbH is the provider of the mobile application "PushTAN-App" or "App".

The PushTAN app is an app for iOS and Android devices, which offers comprehensive services for the authorisation of orders requiring TANs on mobile devices. Fondsdepot Bank provides the app in this context. This functionality and the associated data are collected and processed by Fondsdepot Bank. The app enables you to place certain orders as part of the business relationship with the bank (e.g. transfers, whereby order data is transmitted to your bank via a secure Internet connection).

2 Data processing

Within the framework of the use of our app, we process your data for the purposes described in more detail below on the basis of the legal bases listed below.

2.1 General information on use

After initial setup of the app (details under point 2.2 a), a connection to the servers of the Fondsdepot Bank is established to display your bank data in the app.

Afterwards, the entire data traffic (data on the transaction) is processed under the responsibility of the Fondsdepot Bank.

2.2 Data processing purposes and legal basis

Unless otherwise described in the following sections, the legal basis for data processing in the context of the use of the App follows from Art. 6 para. 1 lit. (b DSGVO. In this case, the processing of your data is necessary to execute the PushTAN app usage contract with you and to provide you with the functionality of the app.

a. Initial setup of the app

For the initial registration in the app you have to provide the following information, which is necessary for the use:

Only after entering the access number and activation code, you will be asked to enter a self-selected PIN. Depending on the device you are using (iOS or Android) as well as when using only one access number, you can also activate additional biometric data (TouchID and/or FaceID). The biometric data you have activated will not be transmitted to Fondsdepot Bank.

The processing of this data, in particular its storage on your device, is necessary to enable you to use the app without restrictions.

The PIN assigned by the user in the app is stored in encrypted form locally in the app and is forwarded to Fondsdepot Bank in encrypted form for authentication purposes and stored there.

b. Storage of your IP address and the date of registration

To register the application, your device must process the authorization data from online banking (access number) to prevent unauthorized logins. The processing of this data is necessary in order to provide you with unrestricted use of the app.

c. Push notifications

You have the possibility to receive so-called push messages when using this app, if you give your consent in the mobile operating system. Push notifications are messages that appear on your smartphone without opening the respective app. A push ID is stored and processed for this purpose. The purpose of push notifications is to inform the user about transactions requiring TANs. The information itself is not included in the push notification, but can only be retrieved in the app after authentication. The authorization for push messages can be withdrawn at any time in the system settings.

d. Display of transactions requiring TANs in the App

If you use the app's function within the framework of Fondsdepot Bank's online banking, a selection of your most recent TAN-liable transactions will be displayed and stored locally in the app. The storage of your data is necessary to provide you with the functionality of the app.

2.3 Data security

We maintain current technical measures to ensure data security, in particular to protect your personal data from risks during data transmission and from third parties gaining knowledge of them. These measures are adapted to the current state of the art. The data transfers are carried out via SSL-encoded connections.

2.4 Data receiver

As a matter of principle, your data will only be forwarded at your instigation by using the PushTAN app function. The recipient of your data is the Fondsdepot Bank.

In addition, we will only transfer your personal data if there is a legal obligation to do so. The transmission is based on Art. 6 para. 1 lit. (c) DSGVO (e.g. to the police authorities in connection with criminal investigations or to the data protection supervisory authorities).

2.5 Storage period of personal data

If your personal data is required for the assertion and processing of civil law claims, it will be stored in accordance with the general limitation periods for 3 years from the end of the year in which the claim arose and you have gained knowledge of the facts substantiating the claim or should have gained knowledge without gross negligence (§§ 195, 199 German Civil Code).

If, in addition, there are special statutory storage obligations, we will store your personal data until the fulfilment of this obligation. After these periods have expired, the data concerned are routinely deleted.

Login area

You have the possibility to log into a protected area on our website. Your access number as well as the PIN previously given to you by your consultant, or your user name and the corresponding password are processed. This data is processed for the purpose of using the user account and its purpose on the basis of Art. 6 Para. 1 lit. b) DSGVO.

When using the registration function and the user account, we also store the time of your registration and other user actions as well as your IP address. This will be anonymised or deleted after seven days at the latest. We store this data on the basis of our legitimate interests to protect users from misuse and unauthorised use in accordance with Art. 6 Para. 1 lit. f) DSGVO. The stored data will not be passed on to third parties, unless we are obliged to do so by a legal provision according to Art. 6 Para. 1 lit. c) DSGVO or this is necessary to pursue our claims.

virtualQ - Callback Service

In order to answer your questions in the best possible and most convenient way, we offer you the callback service with appointment of VirtualQ GmbH, Spittastraße 2, 70193 Stuttgart, Germany (in the following: VirtualQ). You can use the form to make a personal callback appointment with our customer service, specifying your preferred date and time and your telephone number. Your telephone number and IP address will be transmitted to VirtualQ for this purpose. The IP address is automatically transmitted but not stored. The telephone number will only be used to call you back.

Your telephone number will be stored until the service has been provided to you and will be deleted after 30 days at the latest.

The legal basis for this data processing is Art. 6 para. 1 lit. b) DSGVO, insofar as you are interested in information in the run-up to the conclusion of a contract or in topics relating to an already existing contract.

Otherwise, the legal basis for the processing of your data is Art. 6 (1) (f) DSGVO, as we pursue our interest in improving our accessibility and our service by involving the service provider and the associated data processing.

You can find the data protection information of our service provider virtualQ at: https://virtualq.io/datenschutz/.

Matomo

This website uses the open-source web analysis service Matomo.

Through Matomo, we are able to collect and analyze data on the use of our website-by-website visitors. This enables us to find out, for instance, when which page views occurred and from which region they came. In addition, we collect various log files (e.g. IP address, referrer, browser, and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).

The use of this analysis tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator’s web offerings and advertising. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

IP anonymization

For analysis with Matomo we use IP anonymization. Your IP address is shortened before the analysis, so that it is no longer clearly assignable to you.

Analysis without cookies

We have configured Matomo in such a way that Matomo will not store cookies in your browser.

Hosting

We host Matomo with the following third-party provider:
The hosting is done through Matomo by using the Matomo Cloud version.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Google DoubleClick

This website uses functions of Google DoubleClick. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland, (hereinafter "DoubleClick").

DoubleClick is used to display interest-based advertisements to you throughout the Google advertising network. The advertisements can be targeted to the interests of the respective viewer with the help of DoubleClick. For example, our ads may be displayed in Google search results or in banner ads associated with DoubleClick.

In order to be able to display interest-based advertising to users, DoubleClick must be able to recognize the respective viewer and associate him or her with the web pages visited, clicks and other information on user behavior. For this purpose, DoubleClick uses cookies or comparable recognition technologies (e.g. device fingerprinting). The information collected is combined into a pseudonymous user profile in order to display interest-based advertising to the relevant user.

The use of this service is based on your consent in accordance with Art. 6 Para. 1 lit. a DSGVO and § 25 Para. 1 TTDSG. The consent can be revoked at any time.

For more information on how to object to the advertisements displayed by Google, please see the following links: policies.google.com/technologies/ads and adssettings.google.com/authenticated.

Corporate presences on social media platforms

Data processing by social networks

Social networks such as Facebook, Twitter, etc. can generally analyze your user behavior extensively when you visit their website or a website with integrated social media content (e.g. LikeButtons or advertising banners). Visiting our social media presences triggers numerous processing operations relevant to data protection. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, you can be shown interest-based advertising inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. The analysis processes initiated by the social networks may be based on different legal bases, which are to be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) lit. a DSGVO).

Responsible party and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both vis-à-vis us and vis-à-vis the operator of the respective social media portal (e.g. vis-à-vis Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

The data collected directly by us via the social media presence is deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their data protection notices, see below).

Social networks in detail

Facebook

We have a profile on Facebook. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Facebook. This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in: www.facebook.com/settings.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: www.facebook.com/legal/EU_data_transfer_addendum and de-de.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy: www.facebook.com/about/privacy/.

XING

We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. For details on how they handle your personal data, please refer to XING's privacy policy: privacy.xing.com/de/datenschutzerklaerung.

LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to disable LinkedIn advertising cookies, please use the following link: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

We have entered into a joint processing agreement (Controller Addendum) with LinkedIn. This agreement specifies which data processing operations we or LinkedIn are responsible for when you visit our LinkedIn page. You can view this agreement at the following link: legal.linkedin.com/pages-joint-controller-addendum.

Data transfer to the US is based on the standard contractual clauses of the EU Commission. Details can be found here: www.linkedin.com/legal/l/dpa and www.linkedin.com/legal/l/eu-sccs.
For details on their handling of your personal data, please refer to LinkedIn's privacy policy: www.linkedin.com/legal/privacy-policy.

KUNUNU

As the provider of our Kununu page, we can see, for example, when and with what content reviews were submitted for our company. The corresponding ratings are pseudonymized on our Kununu page and we have no way of relating them to a specific person. In addition, you have the option of submitting a request to the Kununu community via the Kununu page. Corresponding inquiries are also made pseudonymously. If we respond to such a question, we will process the data, in particular the content of the question, in order to process your request. We process the data on the basis of legitimate interest pursuant to Art. 6 (1) lit. f DSGVO.

Kununu also displays anonymous - i.e. non-personal - data on the profile views of our Kununu page without being asked and, moreover, graphically evaluates the ratings submitted on our Kununu page. Without further additional information, it is not possible for us to assign the corresponding information to you.

For more information about the processing of your data by Xing, which operates the website of kununu GmbH, Neutorgasse 4-8, Top 3.02, A - 1010 Vienna (hereinafter "Kununu"), please see the privacy notice available at privacy.xing.com/de/datenschutzerklaerung.

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube's privacy policy: policies.google.com/privacy.

YouTube with enhanced privacy

This website embeds videos from the website YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube - regardless of whether you watch a video - establishes a connection to the Google DoubleClick network.

As soon as you start a YouTube video on this website, a connection to YouTube's servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.

YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

For more information about data protection at YouTube, please refer to their privacy policy at: policies.google.com/privacy.

Google Web Fonts

This page uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to Google's servers. Through this, Google obtains knowledge that this website was accessed via your IP address. The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG. The consent can be revoked at any time.

If your browser does not support web fonts, a standard font from your computer will be used.
You can find more information about Google Web Fonts at developers.google.com/fonts/faq and in Google's privacy policy: policies.google.com/privacy.

Google Maps

This site uses the map service Google Maps via an API. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there.

The provider of this site has no influence on this data transmission. If Google Maps is activated, Google may use Google Web Fonts for the purpose of uniform display of fonts. When calling up Google Maps, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG. The consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: privacy.google.com/businesses/gdprcontrollerterms/ and privacy.google.com/businesses/gdprcontrollerterms/sccs/.
More information on the handling of user data can be found in Google's privacy policy: policies.google.com/privacy.

Google My business

On this website we use the Google My business function of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland("Google"). Google My Business is a platform provided by Google that bundles various services of the Google Group and allows users direct access to them with the help of a dashboard. These include, among others, Google Analytics, Google Maps and YouTube. The Google My Business product allows companies to present themselves in Google Search and Google Maps.
Google My business can identify the location of a user by means of the IP address. This data processing operation is carried out in accordance with Art. 6 (1) lit. f DSGVO on the basis of Google's legitimate interests.
For the purpose and scope of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and setting options for protecting your privacy, please refer to Google's privacy policy:
www.google.com/intl/de/policies/privacy/"

Audio and video conferencing

Data processing

We use online conferencing tools, among others, to communicate with our customers. The specific tools we use are listed below. When you communicate with us via video or audio conference over the Internet, your personal data is collected and processed by us and the provider of the respective conference tool. The conferencing tools thereby collect all data that you provide/enter to use the tools (email address and/or your phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other "context information" related to the communication process (metadata). Furthermore, the provider of the tool processes all technical data required to handle the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.

If content is shared, uploaded or otherwise made available within the tool, it will also be stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat/ instant messages, voicemails uploaded photos and videos, files, whiteboards, and other information shared while using the service. Please note that we do not have full control over the data processing operations of the tools used. Our options are largely based on the company policy of the respective provider. For further information on data processing by the conference tools, please refer to the data protection notices of the respective tools used, which we have listed below this text.

Purpose and legal basis

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 p. 1 lit. b DSGVO). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO). Insofar as consent has been requested, the tools in question are used on the basis of this consent; consent can be revoked at any time with effect for the future.

Storage period

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected. We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

Conference tools used

We use the following conferencing tools:

Microsoft Teams
We use Microsoft Teams. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. For details on data processing, please refer to the privacy notices of Microsoft Teams: privacy.microsoft.com/de-de/privacystatement.

Conclusion of an order processing contract
We have concluded an order processing contract with the Microsoft Teams provider and fully implement the strict requirements of the German data protection authorities when using Microsoft Teams.

Status 7/23