The Bank as controller within the meaning of the General Data Protection Regulation ("GDPR") collects and processes personal data and other information of you when using "External Applications". The following information provides an overview of how we process your personal data and your rights under data protection law.
1. Who is responsible for the data processing and who can I contact in this regard?
Deutsche Bank AG
60325 Frankfurt am Main
Tel: + 49 (69) 910-10000
Fax: +49 (69) 910-10001
Our internal data protection officer may be contacted at
Deutsche Bank AG
Data protection officer
60325 Frankfurt am Main
Tel:+ 49 (69) 910-10000
2. What sources and data do we use?
We process the following categories of personal data of you when using "External Applications".
a. Personal Data actively provided by you:
"External Applications" is a discretionary offer by Deutsche Bank. In order to grant, review or revoke consents you have to log in using your Onlinebanking credentials ("FKN" + PIN).
In case of a grant of consent you have to accept the conditions provided by Deutsche Bank. In order to successfully share specific personal data with the third party, you also have to select the data you want to share.
Review and\/or revoking of consent
In case you want to review and/or revoke a formerly given consent, you can visit https://api.db.com/gw/oidc/managegrants. Here you can find the description of the apps that you have given consent to use your data, what data they have access to and a button to revoke the consent.
We only save and use your FKN as an identifier in order to technologically be able to provide "External Applications" to you. For security and safety reasons, we also save:
- Your account managing bank entity
- The consent(s) you granted including date, time, content and third party application
- The date and time when you revoked a specific consent
3. Why do we process your data (purpose of the processing) and on what legal basis?
We process the aforementioned personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)
a. for the performance of contractual obligations (article 6 (1) b) GDPR)
The legal basis for the processing of your personal data is the contract concluded with you for using "External Applications". The purposes of the data processing are primarily dependent on the specific service.
b. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)
Where necessary, we process your data above and beyond the actual performance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:
- Asserting legal claims and mounting a defense in the event of litigation
- Ensuring the bank’s IT security and IT operations
- Preventing crimes
- Measures to manage business and further develop services and products
c. on the basis of your consent (article 6 (1) a) GDPR)
Insofar as you have granted us consent to the processing of personal data for specific purposes (e. g., transfer of data within the association\/Group), the lawfulness of such processing is based on your consent. For the services of "External Applications", where Deutsche Bank transfers different categories of personal data depending on the service of the third party provider, the legal basis will be in every case a consent given by you. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future. Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status overview of the consents you have granted from us at any time or view some of them when banking online.
4. Who receives my data?
Within Deutsche Bank AG, those offices are given access to your data which require them in order to perform our contractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe professional secrecy and our written instructions under data protection law. These are mainly companies from the categories listed below.
With regard to the transfer of data to recipients outside the Deutsche Bank AG, it must first of all be noted that as a bank we are under a duty to maintain secrecy about any customer related facts and evaluations of which we may have knowledge. We may only disclose information about you if we are legally required to do so, if you have given your consent, if we are authorized to provide information and\/or if processors commissioned by us guarantee compliance with secrecy and the provisions of the GDPR\/BDSG.
Under these conditions, recipients of personal data may be, for example:
- Public authorities and institutions (e.g., Deutsche Bundesbank, BaFin, the European Banking Authority, the European Central Bank, tax offices, the German Federal Central Tax Office (Bundeszentralamt für Steuern) insofar as a statutory or official obligation exists.
- Other credit and financial services institutions, comparable institutions and processors to whom we transfer personal data in order to perform the business relationship with you. Specifically: Support\/Maintenance of EDP\/IT applications, archiving, data destruction, website management.
Other recipients of data may be those offices to which you have given your consent to the transfer of data or with respect to which you have exempted us from banking secrecy by agreement or consent.
5. Is data transferred to a third country or to an international organisation?
Data will only be transferred to countries outside the EU or the EEA (so- called third countries) if this is required for the execution of your orders (e. g. payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you have given us your consent or in the con- text of commissioned data processing. If service providers in a third coun- try are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.
6. How long will my data be stored?
We process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for several years.
If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:
a. Preservation of evidence within the scope of statutes of limitations. Under section 195 et seq. of the German\/LUX Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may be up to 30 years, whereby the regular limitation period is three years.
7. What data protection rights do I have?
Every data subject has a right of access (article 15 GDPR), a right to rectification (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR). The right of access and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).
You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.
8. Am I under any obligation to provide data?
Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of the Application and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.
In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with section 12 (1) GWG and notify us without undue delay of any changes that may arise during the course of the business relationship in accordance with section 11 (6) GWG. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue your requested business relationship.
Information on your right to object under article 21 of the EU General Data Protection Regulation (GDPR)
1. Ad hoc right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 (4) GDPR.
If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.
There are no formal requirements for lodging an objection; where possible it should be made by telephone to: +49 (69) 910-10000.