Data Protection Policy

Deutsche Bank Sociedad Anónima Española has an ongoing commitment to data confidentiality, security and protection of its users and customers.

Any information that a User may provide in the forms posted on these web pages and any other information that we may collect about the User in the course of browsing these pages shall be processed in the strictest confidence and whenever collected the User shall be informed of the use made of and purposes for which Deutsche Bank shall use this information.

Furthermore, Deutsche Bank wishes to provide you with information, offers and personalised contents based on your preferences and needs, for the ultimate purpose of delivering a better service to you and keeping you constantly informed of our products, services and special promotions. In order to do so, whenever you have given your express consent, we shall process the data collected from your visits and use of Deutsche Bank's digital channels (Online Banking Service, mobile apps) in order to analyse, assign and create consumer profiles and habits by analysing your preferences, requests and searches, for the purposes of contacting you in order to provide you with marketing information about the products and services sold or brokered by the Bank that we consider may be of interest to you, through any means, including electronic media.

 

  • If you have given your consent to the data referred to in the above paragraph being processed but no longer wish that they be processed for these purposes, please instruct us to this regard by writing an email to db-online@db.com.
  • If you wish to access the Notice that describes how your personal data are processed, you may do so as the data subject through any of the forms on our websites and microsites.

    Notice that describes how your personal data are processed as the data subject on any of the forms on our websites and microsites.

    The processing of your personal data is described below, as well as the rights that serve you in accordance with the data protection regulations in force: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the regulations that it develops, hereinafter referred to as the ‘General Data Protection Regulation’ (GDPR). The type of data processed and the use of the data may vary in accordance with the relationship that we have established with you and the services and products requested and/or contracted.

    The Bank will update you regularly of any updates made to this content. You can access the updates to this Data Protection Policy on the Bank’s website in the ‘Data Protection Policy’ section. The website details are provided below. You can also access the Cookies Policy on the website in the ‘Cookie Policy’ section.

     

    1. Who is responsible for processing data and who can I contact?

    The organisation in charge is:

    • Deutsche Bank S.A. Española
    • Registered address: Paseo de la Castellana 18, 28046 Madrid
    • http://www.db.com

    Customer service address for the exercise of rights:

    • Deutsche Bank S.A. Española
    • Apartado de Correos 416, 08080 Barcelona, Spain
    • Email address: proteccionde.datos@db.com
    • Data Protection Officer (DPO): If requested, your complaint may be directed internally to the DPO once submitted to Customer Services at the aforementioned address.

     

    2. Which sources and data do we use?

    We process the personal data that we receive within the framework of the business relationship that we have with our clients.

    We consider that necessary, relevant personal data includes, and is not limited to, the following data required to initiate the business relationship with the holder or client, and that will be required throughout the course of the relationship in order to grant, contract and/or follow up a specific product/service:

    (i)         Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

    (ii)        Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

    (iii)       Housing type and detail (rented/owned), financial situation (assets, debt, solvency, income from employment/being self-employed, business activity, expenses, etc.), foreseen changes to financial situation (e.g. reaching retirement age, specific/main financial or investment objectives.

    (iv)       Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

    (v)        Credit and solvency information and risk, taking into account data available in shared credit systems, such as the National Association of Financial Credit Institutions (ASNEF) and EXPERIAN, the Risk Information Centre (CIR) at the Bank of Spain and financial information verification sources.

    (vi)       Business data. This refers to data resulting from the proposal or contracting of products and services, such as movements and transactions, susceptibility to new contracts, the analysis of cookies and the visits and use of the Bank’s remote channels, social networks, as well as the products/services consulted.

    (vii)      Information derived from the registration and recording of telephone conversations and communications maintained with the Bank, as a result of internal quality controls performed on customer service phones and the obligation to maintain these records (MIFID - Financial Instruments Market regulations), as long as the channel and medium used (commercial or similar) is subjected to this measure.

    (viii)     Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hardcopy and digital copy, and, in general, documentation and information on contact made with the client by different means, including marketing campaigns.

     

    3. For what purpose do we process your data (purpose of processing) and on what legal basis?

    The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

    a. Within the framework of information request or the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR)

     

    Personal data is processed in order manage the request received and / or maintain the Bank's relationship with the owner.

    This data processing may include needs analysis, advice, management and the conducting of transactions.

    b. Justified by legitimate interest (Art. 6.1. f) of the GDPR)

     

    When necessary, we process your personal data to meet our legitimate interests or those of third parties, For example:

    -    To consult and exchange data with credit information systems, in order to determine solvency and non-payment risks, the evaluation of risk and expert analysis by means of scoring and similar automated techniques, within the framework of the evaluation of operations, the granting of loans and the risk profile.

    -    To analyse client needs, consumer behaviour and preferences: including the segmentation and profiling of clients and the calculation of the probability of taking on a contract.

    -    For advertising, market and opinion studies using different means, as long as the client has not expressed opposition to their data being used for this purpose and these are referred to financial products commercialized by the Bank.

    -    To exercise legal rights and defence in the case of disputes.

    -    For the security of the Bank, the network and the infrastructures of the technological systems.

    c. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR)

    As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations.

    Similarly, we process data on the same legal basis in the following cases: the analysis of solvency and credit, verification of identity, the prevention of money laundering, compliance with obligations for tax control and the evaluation and management of risks in the Bank and the Deutsche Bank Group.

    In the case of investment products and financial instruments, the Bank is obliged to assess the investment profile, in order to advise and recommend the appropriate type of product to the client, and, additionally, to keep records of communication and telephone conversations with the client, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

     

    4. Who receives my data?

    Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

    Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

     

    5. For how long will my data be stored?

    We process and store your personal data as long as necessary to meet your request and maintain our commercial relationship.

    Once attended your request or relationship with the Bank is cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.

    After this period, the data can be deleted or kept anonymously, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis.

     

    6. What rights do I have in terms of data protection?

    Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

    You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected.

    In particular, you can object at any time to our data to analyze your needs, habits and preferences, profiling and calculation of recruitment probabilities and to send you advertising as we have informed you in section 3. b.

    The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

    (i)         In writing, by means of a request sent to Deutsche Bank, S.A. Española, Apartado de Correos 416, 08080 Barcelona.

    (ii)        by email, to the following email address: proteccionde.datos@db.com

    (iii)       by completing the form on the website at http://www.db.com

     

    7. Am I obliged to provide information?

    Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

    In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.

  • If you are a customer and wish to access the Data Protection Notice that describes how your personal data are processed as such.

    Data Protection Notice that describes how your personal data are processed as a customer

    Below is described how your personal data are processed and your rights pursuant to the data protection regulation in force, namely, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the rules for its implementation, hereinafter, “data protection regulations” or “GDPR”. The type of data processed and the use of the data may vary in accordance with the relationship that we have established with you and the services and products requested and/or contracted.

    Please provide this information to any persons who currently or in the future hold powers of attorney, as well as to any economic beneficiaries (beneficial owner/ultimate beneficiary) and other third parties whose data you have submitted as a result of the products and services provided and the relationship you have with the Bank and, therefore, that are subject to processing. For instance, beneficiaries authorised to handle accounts or remote channels, attorneys-in-fact and guarantors.

    The Bank shall keep you regularly informed of the updates to the content herein. You may see the updates of this Data Protection Policy by going to the Bank’s website referred to below, under the heading “Data Protection Policy”. You may likewise access the Cookies Policy on the same website, under the heading “Cookies Policy”.

     

    1. Who is the controller of your personal data?


    The data controller is:

    Deutsche Bank S.A. Española

    Registered address: Paseo de la Castellana 18, 28046 Madrid

    http://www.db.com

    Address for the exercise of rights:

    Deutsche Bank S.A. Española

    Apartado de Correos 416, 08080 Barcelona

    Email address: proteccionde.datos@db.com

    Data protection officer (DPO): If you so request, your claim may be handed over internally to the DPO once it has been submitted to Customer Service at the above address.

     

    2. What sources and data do we use?


    We process the personal data that we receive within the framework of the business relationship that we have with our customers. In addition to the data that you provide, and when necessary for the provision of a service, we also process data received from other companies in the Deutsche Bank Group (this data can be consulted on the aforementioned website), or from third parties. For example, this could be for carrying out orders or transfers, to consult credit information systems, such as ASNEF and EXPERIAN, for contracts commercialised by the Bank, the management of which involves a third party, such as in the case of insurance, investment funds and pensions.

    Furthermore, we may process data from publicly accessible sources (property registers, companies registers, registers of associations, the press, the media, the Internet) and authorities and public organisations, such as the General Treasury of Social Security, to verify the holder’s source of income, as provided for in the relevant regulations, or the Risk Information Centre (CIR) file at the Bank of Spain on the holder’s risk and solvency, and/or the organisation that provides these functions at a European level, if we are legitimately authorised to do so.

    We consider that necessary, relevant personal data includes, and is not limited to, the following data required to initiate the business relationship with the holder or customer, and that will be required throughout the course of the relationship in order to grant, contract and/or follow up a specific product/service

    (i)       Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

    (ii)      Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

    (iii)     Housing type and detail (rented/owned), financial situation (assets, debt, solvency, income from employment/being self-employed, business activity, expenses, etc.), foreseen changes to financial situation (e.g. reaching retirement age, specific/main financial or investment objectives.

    (iv)    Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

    (v)     Credit and solvency information and risk, taking into account data available in shared credit systems, such as the National Association of Financial Credit Institutions (ASNEF) and EXPERIAN, the Risk Information Centre (CIR) at the Bank of Spain and financial information verification sources.

    (vi)    Tax information. This includes, for example, address/residency and scoring of the holder for the purpose of tax regulations, such as the Foreign Account Tax Compliance Act (FATCA), regarding mutual assistance between the USA and Spain, or the Common Reporting Standard (CRS) for international mutual assistance with the Organisation for Economic Co-operation and Development (OECD), and the profile assigned.

    (vii)   Information resulting from compliance with the obligation of due diligence and other obligations established in or as a result of the regulations to prevent money laundering and financing of terrorism, including the illicit origin of funds, identification of a person from a political background or close family, or the beneficial owner or final beneficiary, as well as any other relevant information for the purpose of evaluating a situation, transaction or ownership, and the associated risk in this matter.

    (viii)  Identity and authentication data in Bank systems, such as passwords and remote banking coordinates, digital and/or electronic signature and, if relevant, biometric data.

    (ix)    Business data. This refers to data resulting from the proposal or contracting of products and services, such as movements and transactions, susceptibility to new contracts, the analysis of cookies and the visits and use of the Bank’s remote channels, social networks, as well as the products/services consulted.

    (x)     Data resulting from the register or recording of telephone conversations and communication with the Bank, as a result of the obligation to keep these records (in accordance with the regulations of the Markets in Financial Instruments Directive (MIFID)), as long as the channel or medium used (commercial or other) is subject to this measure.

    (xi)    Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hard copy and digital copy, and, in general, documentation and information on contact made with the customer by different means, including marketing campaigns.

     

    3. For what purpose do we process your data (purpose of processing) and on what legal basis?


    The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

     

    a. Within the framework of the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR-

    Personal data is processed in order to maintain the business relationship between the Bank and the Framework, to conduct banking operations and provide financial services, to contract and conduct transactions and orders, within the framework of compliance with our customers’ contracts, to conduct the necessary pre-contractual measures, or at the request of the interested party, including the control and maintenance of these measures.

    On the same basis, the Bank conducts the management and demands for repayment of overdrafts and other non-payments, for itself or for third parties, using the means available to claim and obtain the outstanding amounts. The Bank consequently contacts the customer using the means considered relevant, and the contact details provided by the holder or by a third party.

    This data processing may include needs analysis, advice, management and the conducting of transactions. Further information can be found in the contractual documentation and the relevant business conditions.

     

    b. Justified by legitimate interest (Art. 6.1. f) of the GDPR-

    When necessary, we process your personal data to meet our legitimate interests or those of third parties. For example:

    · To consult and exchange data with credit information systems, in order to determine solvency and non-payment risks, the evaluation of risk and expert analysis by means of scoring and similar automated techniques, within the framework of the evaluation of operations, the granting of loans and the risk profile.

    · To analyse customer needs, consumer behaviour and preferences: including the segmentation and profiling of customers and the calculation of the probability of taking on a contract.

    · For advertising, market and opinion studies using different means, as long as the customer has not expressed opposition to their data being used for this purpose.

    · To exercise legal rights and defence in the case of disputes.

    · For the security of the Bank, the network and the infrastructures of the technological systems.

    · To prevent, manage and respond to fraud and crime, such as money laundering and other types through remote operations (online banking or using and making transactions with debit and credit cards).

    · To control regulatory, operational and credit risks within the Deutsche Bank Group.

    · For internal administrative management within the Deutsche Bank Group

     

    c. Consent (Art. 6.1a) of the GDPR-

    Provided you have given your consent, your data shall be subject to additional processing about which you were informed. You can revoke your consent at any time. This is also applicable for consent granted before the coming into force of the EU’s General Data Protection Regulation on 25 May 2018. It should be noted that opposition to certain data processing or revoking consent is not retroactive. You can obtain further information, at any time, on the authorisations that you have granted us for the different types of data processing in section 9.

    In section 11, you can indicate your authorisation for the processing of your data by the Bank for the following purposes:

    (i)     To send you marketing messages on non-financial products and companies that do not belong to the DB Group, in hard copy or digitally, telematically and/or by contacting you by telephone.

    (ii)    To send you commercial notifications on non-financial products and services commercialised by the Bank, in hard copy or digitally, telematically and/or by contacting you by telephone.

    (iii)   To analyse your consumer behaviour and preferences based on information and transactional movements made more than two years previously. This includes customer segmentation and profiling, and calculates the probability of taking on a contract, so that the Bank can detect customer needs and target its offer,

     

    d. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR-

    As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations.

    Similarly, we process data on the same legal basis in the following cases: the analysis of solvency and credit, verification of identity, the prevention of money laundering, compliance with obligations for tax control and the evaluation and management of risks in the Bank and the Deutsche Bank Group.

    In the case of investment products and financial instruments, the Bank is obliged to assess the investment profile, in order to advise and recommend the appropriate type of product to the customer, and, additionally, to keep records of communication and telephone conversations with the customer, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

     

    4. Automated decisions


    In order to justify and conduct the business relationship, we do not generally use fully automated decision making processes, according to Art. 22 of the GDPR. If we do use this procedure occasionally, you have the right to human intervention for decision making. In the case of a request for a risk operation, and within the limitations indicated internally, the system may grant an operation, although these decisions are subject to review randomly and on a regular basis.

     

    5. Is profiling carried out?


    We process your data in order to assess different aspects (profiling). For example, we use profiling in the following cases:

    · Due to legal obligations, we are obliged to act against money laundering and fraud. In this case, we also carry out data assessment (for example, in payment operations). These measures also contribute to your security.

    · In order to actively inform and advise you on our products, we use assessment tools. In the case of investment products and financial instruments, the Bank is obliged to assess your investment profile to advise and recommend the type of product relevant to your profile. We also use profiling that enables us to target our communication and advertising to the demand, including market and opinion studies.

    · Within the framework of compliance with tax regulations, we also use profiles (scoring), in order to assess the impact of obligations resulting from the FATCA and CRS regulations affecting the customer.

    · Within the framework of evaluating your loan capacity, we use the system of scoring. For this, we calculate the probability of a customer fulfilling their payment obligations, in accordance with the contract. Therefore, for example, the calculation may take into account the level of income, expenses, outstanding debts, professional situation and family situation, the experience of previous business relations with the Bank, previous loans, and information from credit information system. Scoring is a recognised mathematical statistical procedure that tested and reviewed regularly. The scoring results calculated help us make decisions and are included in the ongoing management of risk. If the decision is fully automated, you have the right to obtain human intervention in the matter.

     

    6. Who receives my data?


    Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

    Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

    On this basis, the recipients of personal data, may be, for example:

     

    · Public organisations, institutions and supervisory organisations, such as the Bank of Spain, the European Central Bank, the Spanish National Securities Market Commission, and the Spanish Directorate General for Insurance and Pension Funds.

    The Bank is obliged to notify the Risk Information Centre (CIR) of the Bank of Spain of any operation that has a risk for the institution. It is also obliged to notify the Commission for the Prevention of Money Laundering (SEPBLAC) of any indication or suspicion of an operation as part of the prevention of money laundering and the financing of terrorism, and also to inform the Commission of the opening, cancellation and holding of current accounts, savings accounts, securities or fixed-term deposits, thereby providing the identity data of its contract holders, representatives and authorised parties of all types, or any person with the power of disposal over this, by means of the Financial Ownership File, so that the data collected is available to legal organisations in the case of investigations relating to money laundering.

    For its part, the Bank is obliged to notify the Spanish Tax Authorities of data relating to Frameworks for which there are indications that the holder is subject to paying tax to tax authorities in other countries, in accordance with international agreements and the applicable tax regulations (FACTA in the USA and CRS in the OECD)

    · Companies comprising the Deutsche Bank Group and the parent company, within the framework of compliance with financial regulations and risks relating to consolidable groups of companies, and carrying out global profitability studies for each customer, with the study, evaluation, follow-up, control and recovery of risks, the prevention of money laundering and fraud, and for internal administrative purposes at a group level.

    - Other loan institutions and financial services, similar institutions and organisations responsible for processing data to whom we transfer personal data in order to fulfil the contractual relationship with you, or for the provision of additional benefits and/or results of the product or service contracted, such as discounts or insurance related to cards or current accounts, the management of valuation of an asset for the granting of risk linked to the asset. All this is in accordance with the information provided by the holder. In particular, the insurance institution, when contracting insurance, the managing institution for a pension plan or investment funds when contracting one of these products: financial institutions affiliated to the information exchange system (Swift), institutions in the same sector or with the same legal obligation regarding the prevention of fraud and money laundering.

    · In the case of requesting the transfer of investment funds, the Bank will send the relevant data on the fund or investment company to the recipient institution, which will request the movement of your balance with economic or consolidated rights.

    · In the case of money transfers, the loan institutions and other payment service providers, as well as payment systems and technological service providers related to those which send the data in order to carry out the transaction, may be obliged by the legislation in the country in which they operate, or by agreements by the State, to provide information on the transaction to the authorities or official organisations in other countries, both within and outside the European Union, within the framework of preventing the financing of terrorism and serious forms of organised crime and to prevent money laundering.

    · Furthermore, in the case of non-payment, the Bank will send the relevant data on the amount owed by the holder to the relevant files on non-compliance with financial obligations and financial solvency and creditworthiness, with which it has agreements (ASNEF, EXPERIAN and similar organisations).

    · In the case of investigations, denunciations and procedures, the public administration, public organisation, court, tribunals and law enforcement agencies following the matter, and, internally, the areas or departments within the Deutsche Bank Group that co-operate in recovering information, clarifying, assessing and notifying the respective organisation of the facts.

     

    7. Which data will be sent to third countries or international organisations?


    Data will only be sent to countries outside the European Union or EU (called third countries) if it is necessary for orders to be carried out (e.g. orders of payment or securities), if required by law (e.g. tax information obligations), if you have given us your authorisation, or in the framework of the processing of data as service providers. If service providers in third countries are used, these are obliged to comply with instructions written on this matter by means of entering into an agreement that guarantees compliance with the level of data protection in Europe, with the standard contractual clauses established in the EU.

     

    8. For how long will my data be stored?


    We process and store your personal data as long as necessary for us to comply with our contractual and legal obligations. In this respect, it should be noted that our business relationship is a continuous, long-term obligation.

    When any contracts, or the general relationship with the Bank, are cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.

    After this period, the data can be deleted or kept anonymous, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis.

     

    9. What rights do I have in terms of data protection?


    Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

    You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected.

    Specifically, you may at any time object to us processing your data for examining your needs, habits and preferences, profiling and calculating the probability of taking out a product or service, and to us sending you publicity as we informed you in section 3, b.

    The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

     

    i.      In writing, by means of a request sent to Deutsche Bank, S.A. Española, Apartado de Correos 416, 08080 Barcelona.

    ii.      By email, to the following email address: proteccionde.datos@db.com

    iii.      By completing the form on the website at www.db.com/spain/

     

    It should be noted that for products such as insurance, the insurance company is responsible for this data and its processing, as defined in the relevant product’s documentation. It is, therefore, necessary to contact the insurance company’s customer service department in order to exercise your rights.

     

    10. Am I obliged to provide information?


    Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

    In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.

  • If you are a legal representative, attorney-in-fact or individual authorised to act on behalf of a customer and wish to access the Data Protection Notice that describes how your personal data are processed.

    Data Protection Notice that describes how the personal data of legal representatives, attorneys-in-fact or individuals authorised to act on behalf of a customer are processed.

    The processing of your personal data is described below, as well as the rights that serve you in accordance with the data protection regulations in force: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the regulations that it develops, hereinafter referred to as the ‘General Data Protection Regulation’ (GDPR). The type of data processed and the use of the data may vary in accordance with the relationship that we have established with the owner / client you represent or have authorizations or attorney powers, and the services and products requested and/or contracted.

    We request that you provide this information to those people who currently have powers of representation, or will do so in the future, as well as financial beneficiaries (beneficial owner/final beneficiary), and other third parties whose information you have provided to us through the services and products, and the relationship that you have with the Bank, and whose information has, therefore, been processed. This includes beneficiaries, those authorised to operate in contracts and by means of remote channels, and also representatives and guarantors.

    The Bank will update you regularly of any updates made to this content. You can access the updates to this Data Protection Policy on the Bank’s website in the ‘Data Protection Policy’ section. The website details are provided below. You can also access the Cookies Policy on the website in the ‘Cookie Policy’ section.

     

    1. Who is responsible for processing data and who can I contact?

    The organisation in charge is:

    • Deutsche Bank S.A. Española
    • Registered address: Paseo de la Castellana 18, 28046 Madrid
    • http://www.db.com

    Customer service address for the exercise of rights:

    • Deutsche Bank S.A. Española
    • Apartado de Correos 416, 08080 Barcelona, Spain
    • Email address: proteccionde.datos@db.com
    • Data Protection Officer (DPO): If requested, your complaint may be directed internally to the DPO once submitted to Customer Services at the aforementioned address.

     

    2. Which sources and data do we use?

    We process the personal data that we receive from you as the representative/proxy/authorised party of a contract holder/client. In addition to the information provided by you, we may obtain data from publicly accessible sources (property registers, entities registers, registers of associations, the press, the media, the Internet).

    We consider personal data of the representative or authorised person, whose data processing may be necessary and / or relevant, those data that required to manage the business relationship with the company that you represent:

    (i)        Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

    (ii)       Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

    (iii)      Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

    (iv)     Tax information. This includes, for example, address/residency and scoring of the holder for the purpose of tax regulations, such as the Foreign Account Tax Compliance Act (FATCA), regarding mutual assistance between the USA and Spain, or the Common Reporting Standard (CRS) for international mutual assistance with the Organisation for Economic Co-operation and Development (OECD), and the profile assigned.

    (v)      Information resulting from compliance with the obligation of due diligence and other obligations established in or as a result of the regulations to prevent money laundering and financing of terrorism, including the illicit origin of funds, identification of a person from a political background or close family, or the beneficial owner or final beneficiary, as well as any other relevant information for the purpose of evaluating a situation, transaction or ownership, and the associated risk in this matter.

    (vi)     Identity and authentication data in Bank systems, such as passwords and remote banking coordinates, digital and/or electronic signature and, if relevant, biometric data.

    (vii)    Data resulting from the register or recording of telephone conversations and communication with the Bank, as a result of the obligation to keep these records (in accordance with the regulations of the Markets in Financial Instruments Directive (MIFID), as long as the channel or medium used (commercial or other) is subject to this measure.

    (viii)   Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hardcopy and digital copy, and, in general, documentation and information on contact made with the client by different means, including marketing campaigns.

     

    3. For what purpose do we process your data (purpose of processing) and on what legal basis?

    The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

    a. Within the framework of the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR)

    Personal data is processed in order to maintain the business relationship between the Bank and the contract holder you represent, to conduct banking operations and provide financial services, to contract and conduct transactions and orders, within the framework of compliance with our clients’ contracts, to conduct the necessary pre-contractual measures, or at the request of the interested party, including the control and maintenance of these measures.

    On the same basis, the Bank conducts the management and demands for repayment of overdrafts and other non-payments, for itself or for third parties, using the means available to claim and obtain the outstanding amounts. The Bank consequently contacts the client using the means considered relevant, and the contact details provided by the holder or by a third party.

    b. Justified by legitimate interest (Art. 6.1. f) of the GDPR)

    When necessary, we process your personal data to meet our legitimate interests or those of third parties, e.g.:

    -    To exercise legal rights and defence in the case of disputes.

    -    For the security of the Bank, the network and the infrastructures of the technological systems.

    -    To prevent, manage and respond to fraud and crime, such as money laundering and other types through remote operations (online banking or using and making transactions with debit and credit cards).

    -    To control regulatory, operational and credit risks within the Deutsche Bank Group.

    -    For internal administrative management within the Deutsche Bank Group

    c. Consent (Art. 6.1a) of the GDPR)

    If you have given us your consent, we will conduct additional data processing of which you were informed and for which you gave your consent. You can revoke your consent at any time. This is also applicable for consent granted before the coming into force of the EU’s General Data Protection Regulation on 25 May 2018. It should be noted that opposition to certain data processing or revoking consent is not retroactive. You can obtain further information, at any time, on the authorisations that you have granted us for the different types of data processing in section 9.

    d. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR)

    As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations. These obligations and supervision may require additional data to be processed.

    In the case of investment products and financial instruments, the Bank is obliged to assess the knowledge and experience of the client in such products and, additionally, to keep records of communication and telephone conversations with the client, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

     

    4. Who receives my data?

    Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

    Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

    On this basis, the recipients of personal data, may be, for example:

    -    Public organisations, institutions and supervisory organisations, such as the Bank of Spain, the European Central Bank, the Spanish National Securities Market Commission, and the Spanish Directorate General for Insurance and Pension Funds.

    The Bank is obliged to notify the Risk Information Centre (CIR) of the Bank of Spain of any operation that has a risk for the institution. It is also obliged to notify the Commission for the Prevention of Money Laundering (SEPBLAC) of any indication or suspicion of an operation as part of the prevention of money laundering and the financing of terrorism, and also to inform the Commission of the opening, cancellation and holding of current accounts, savings accounts, securities or fixed-term deposits, thereby providing the identity data of its contract holders, representatives and authorised parties of all types, or any person with the power of disposal over this, by means of the Financial Ownership File, so that the data collected is available to legal organisations in the case of investigations relating to money laundering.

    -    Companies within the Deutsche Bank Group and the parent company, within the framework of compliance with regulations and the prevention of money laundering and fraud, and for administrative purposes internally within the Group.

    -    In the case of investigations, denunciations and procedures, the public administration, public organisation, court, tribunals and law enforcement agencies following the matter, and, internally, the areas or departments within the Deutsche Bank Group that co-operate in recovering information, clarifying, assessing and notifying the respective organisation of the facts.

     

    5. Which data will be sent to third countries or international organisations?

    Data will only be sent to countries outside the European Union or EU (called third countries) if it is necessary for orders to be carried out (e.g. orders of payment or securities), if required by law (e.g. tax information obligations), if you have given us your authorisation, or in the framework of the processing of data as service providers. If service providers in third countries are used, these are obliged to comply with instructions written on this matter by means of entering into an agreement that guarantees compliance with the level of data protection in Europe, with the standard contractual clauses established in the EU.

     

    6. For how long will my data be stored?

    We process and store your personal data as long as necessary for us to comply with our contractual and legal obligations. In this respect, it should be noted that our business relationship is a continuous, long-term obligation.

    When any contracts, or the general relationship with the Bank, are cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.

    After this period, the data can be deleted or kept anonymously, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis.

     

    7. What rights do I have in terms of data protection?

    Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

    You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected.

    The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

            i.      In writing, by means of a request sent to Deutsche Bank, S.A. Española, Apartado de Correos 416, 08080 Barcelona.

           ii.      by email, to the following email address: proteccionde.datos@db.com

          iii.      by completing the form on the website at http://www.db.com

    It should be noted that for products such as insurance, the insurance company is responsible for this data and its processing, as defined in the relevant product’s documentation. It is, therefore, necessary to contact the insurance company’s customer service department in order to exercise your rights.

     

    8. Am I obliged to provide information?

    Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

    In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.

     

In any event, Users may address by email proteccionde.datos@db.com or by post by writing to Deutsche Bank, Sociedad Anónima Española, Apartado de Correos 416, 08080 Barcelona, to exercise their rights as recognised in the current data protection regulation.