Data Protection Policy - client


The processing of your personal data is described below, as well as the rights that serve you in accordance with the data protection regulations in force: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the regulations that it develops, hereinafter referred to as the ‘General Data Protection Regulation’ (GDPR). The type of data processed and the use of the data may vary in accordance with the relationship that we have established with you and the services and products requested and/or contracted.
We request that you provide this information to those people who currently have powers of representation, or will do so in the future, as well as financial beneficiaries (beneficial owner/final beneficiary), and other third parties whose information you have provided to us through the services and products, and the relationship that you have with the Bank, and whose information has, therefore, been processed. This includes beneficiaries, those authorised to operate in contracts and by means of remote channels, and also representatives and guarantors.

The Bank will update you regularly of any updates made to this content. You can access the updates to this Data Protection Policy on the Bank’s website in the ‘Data Protection Policy’ section. The website details are provided below. You can also access the Cookies Policy on the website in the ‘Cookie Policy’ section.

1. Who is responsible for processing data and who can I contact?


The organisation in charge is:
Deutsche Bank S.A. Española
Registered address: Paseo de la Castellana 18, 28046 Madrid

Customer service address for the exercise of rights:
Deutsche Bank S.A. Española
Servicio de Atención al Cliente (Customer Services)
Apartado de Correos 416, 08080 Barcelona, Spain
Email address: atenció                    

Data Protection Officer (DPO): If requested, your complaint may be directed internally to the DPO once submitted to Customer Services at the aforementioned address. 

2. Which sources and data do we use?


We process the personal data that we receive within the framework of the business relationship that we have with our clients. In addition to the data that you provide, and when necessary for the provision of a service, we also process data received from other companies in the Deutsche Bank Group (this data can be consulted on the aforementioned website), or from third parties. For example, this could be for carrying out orders or transfers, to consult credit information systems, such as ASNEF and EXPERIAN, for contracts commercialised by the Bank, the management of which involves a third party, such as in the case of insurance, investment funds and pensions.

Furthermore, we may process data from publicly accessible sources (property registers, companies registers, registers of associations, the press, the media, the Internet) and authorities and public organisations, such as the General Treasury of Social Security, to verify the holder’s source of income, as provided for in the relevant regulations, or the Risk Information Centre (CIR) file at the Bank of Spain on the holder’s risk and solvency, and/or the organisation that provides these functions at a European level, if we are legitimately authorised to do so.

We consider that necessary, relevant personal data includes, and is not limited to, the following data required to initiate the business relationship with the holder or client, and that will be required throughout the course of the relationship in order to grant, contract and/or follow up a specific product/service

(i) Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

(ii) Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

(iii) Housing type and detail (rented/owned), financial situation (assets, debt, solvency, income from employment/being self-employed, business activity, expenses, etc.), foreseen changes to financial situation (e.g. reaching retirement age, specific/main financial or investment objectives.

(iv) Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

(v) Credit and solvency information and risk, taking into account data available in shared credit systems, such as the National Association of Financial Credit Institutions (ASNEF) and EXPERIAN, the Risk Information Centre (CIR) at the Bank of Spain and financial information verification sources.

(vi) Tax information. This includes, for example, address/residency and scoring of the holder for the purpose of tax regulations, such as the Foreign Account Tax Compliance Act (FATCA), regarding mutual assistance between the USA and Spain, or the Common Reporting Standard (CRS) for international mutual assistance with the Organisation for Economic Co-operation and Development (OECD), and the profile assigned.

(vii) Information resulting from compliance with the obligation of due diligence and other obligations established in or as a result of the regulations to prevent money laundering and financing of terrorism, including the illicit origin of funds, identification of a person from a political background or close family, or the beneficial owner or final beneficiary, as well as any other relevant information for the purpose of evaluating a situation, transaction or ownership, and the associated risk in this matter.

(viii) Identity and authentication data in Bank systems, such as passwords and remote banking coordinates, digital and/or electronic signature and, if relevant, biometric data. 

(ix) Business data. This refers to data resulting from the proposal or contracting of products and services, such as movements and transactions, susceptibility to new contracts, the analysis of cookies and the visits and use of the Bank’s remote channels, social networks, as well as the products/services consulted.

(x) Data resulting from the register or recording of telephone conversations and communication with the Bank, as a result of the obligation to keep these records (in accordance with the regulations of the Markets in Financial Instruments Directive (MIFID), as long as the channel or medium used (commercial or other) is subject to this measure.

(xi) Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hardcopy and digital copy, and, in general, documentation and information on contact made with the client by different means, including marketing campaigns.

3. For what purpose do we process your data (purpose of processing) and on what legal basis?


The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

a. Within the framework of the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR)

Personal data is processed in order to maintain the business relationship between the Bank and the contract holder, to conduct banking operations and provide financial services, to contract and conduct transactions and orders, within the framework of compliance with our clients’ contracts, to conduct the necessary pre-contractual measures, or at the request of the interested party, including the control and maintenance of these measures.

On the same basis, the Bank conducts the management and demands for repayment of overdrafts and other non-payments, for itself or for third parties, using the means available to claim and obtain the outstanding amounts. The Bank consequently contacts the client using the means considered relevant, and the contact details provided by the holder or by a third party. 

This data processing may include needs analysis, advice, management and the conducting of transactions. Further information can be found in the contractual documentation and the relevant business conditions.

b. Justified by legitimate interest (Art. 6.1. f) of the GDPR)

When necessary, we process your personal data to meet our legitimate interests or those of third parties, For example:

— To consult and exchange data with credit information systems, in order to determine solvency and non-payment risks, the evaluation of risk and expert analysis by means of scoring and similar automated techniques, within the framework of the evaluation of operations, the granting of loans and the risk profile.

— To analyse client needs, consumer behaviour and preferences: including the segmentation and profiling of clients and the calculation of the probability of taking on a contract.

— For advertising, market and opinion studies using different means, as long as the client has not expressed opposition to their data being used for this purpose and these are referred to financial products commercialized by the Bank.

— To exercise legal rights and defence in the case of disputes.

— For the security of the Bank, the network and the infrastructures of the technological systems.

— To prevent, manage and respond to fraud and crime, such as money laundering and other types through remote operations (online banking or using and making transactions with debit and credit cards).

— To control regulatory, operational and credit risks within the Deutsche Bank Group.

— For internal administrative management within the Deutsche Bank Group

c. Consent (Art. 6.1a) of the GDPR)

If you have given us your consent, we will conduct additional data processing of which you were informed and for which you gave your consent (e.g. the assessment of your activity history, browser analysis and the use of the Bank’s digital channels, and, where relevant, cookies). You can revoke your consent at any time. This is also applicable for consent granted before the coming into force of the EU’s General Data Protection Regulation on 25 May 2018. It should be noted that opposition to certain data processing or revoking consent is not retroactive. You can obtain further information, at any time, on the authorisations that you have granted us for the different types of data processing in section 9.

In section 11, you can indicate your authorisation for the processing of your data by the Bank for the following purposes:

(i) To send you commercial notifications on non-financial products or non-DB Group external companies, in hardcopy or digitally, telematically and/or by contacting you by telephone.

(ii) To send you commercial notifications on non-financial products and services commercialised by the Bank, in hardcopy or digitally, telematically and/or by contacting you by telephone.

(iii) To analyse your consumer behaviour and preferences based on information and transactional movements made more than two years previously. This includes client segmentation and profiling, and calculates the probability of taking on a contract, so that the Bank can detect client needs and target its offer.

d. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR)

As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations.

Similarly, we process data on the same legal basis in the following cases: the analysis of solvency and credit, verification of identity, the prevention of money laundering, compliance with obligations for tax control and the evaluation and management of risks in the Bank and the Deutsche Bank Group.

In the case of investment products and financial instruments, the Bank is obliged to assess the investment profile, in order to advise and recommend the appropriate type of product to the client, and, additionally, to keep records of communication and telephone conversations with the client, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

4. Automated decisions


In order to justify and conduct the business relationship, we do not generally use fully automated decision making processes, according to Art. 22 of the GDPR. If we do use this procedure occasionally, you have the right to human intervention for decision making. In the case of a request for a risk operation, and within the limitations indicated internally, the system may grant an operation, although these decisions are subject to review randomly and on a regular basis.

5. Is profiling carried out?


We process your data in order to assess different aspects (profiling). For example, we use profiling in the following cases:

— Due to legal obligations, we are obliged to act against money laundering and fraud. In this case, we also carry out data assessment (for example, in payment operations). These measures also contribute to your security. 

— In order to actively inform and advise you on our products, we use assessment tools. In the case of investment products and financial instruments, the Bank is obliged to assess your investment profile to advise and recommend the type of product relevant to your profile. We also use profiling that enables us to target our communication and advertising to the demand, including market and opinion studies.

— Within the framework of compliance with tax regulations, we also use profiles (scoring), in order to assess the impact of obligations resulting from the FATCA and CRS regulations affecting the client. 

— Within the framework of evaluating your loan capacity, we use the system of scoring. For this, we calculate the probability of a client fulfilling their payment obligations, in accordance with the contract. Therefore, for example, the calculation may take into account the level of income, expenses, outstanding debts, professional situation and family situation, the experience of previous business relations with the Bank, previous loans, and information from credit information system. Scoring is a recognised mathematical statistical procedure that tested and reviewed regularly. The scoring results calculated help us make decisions and are included in the ongoing management of risk. If the decision is fully automated, you have the right to obtain human intervention in the matter. 

6. Who receives my data?


Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

On this basis, the recipients of personal data, may be, for example:

—  Public organisations, institutions and supervisory organisations, such as the Bank of Spain, the European Central Bank, the Spanish National Securities Market Commission, and the Spanish Directorate General for Insurance and Pension Funds.

The Bank is obliged to notify the Risk Information Centre (CIR) of the Bank of Spain of any operation that has a risk for the institution. It is also obliged to notify the Commission for the Prevention of Money Laundering (SEPBLAC) of any indication or suspicion of an operation as part of the prevention of money laundering and the financing of terrorism, and also to inform the Commission of the opening, cancellation and holding of current accounts, savings accounts, securities or fixed-term deposits, thereby providing the identity data of its contract holders, representatives and authorised parties of all types, or any person with the power of disposal over this, by means of the Financial Ownership File, so that the data collected is available to legal organisations in the case of investigations relating to money laundering.

The Bank is obliged to notify the Spanish Tax Authorities of data relating to contract holders for which there are indications that the holder is subject to paying tax to tax authorities in other countries, in accordance with international agreements and the applicable tax regulations (FACTA in the USA and CRS in the OECD).

— Companies comprising the Deutsche Bank Group and the parent company, within the framework of compliance with financial regulations and risks relating to consolidated groups of companies, and carrying out global profitability studies for each client, with the study, evaluation, follow-up, control and recovery of risks, the prevention of money laundering and fraud, and for internal administrative purposes at a group level.

— Other loan institutions and financial services, similar institutions and organisations responsible for processing data to whom we transfer personal data in order to fulfil the contractual relationship with you, or for the provision of additional benefits and/or results of the product or service contracted, such as discounts or insurance related to cards or current accounts, the management of valuation of an asset for the granting of risk linked to the asset. All this is in accordance with the information provided by the holder. In particular, the insurance institution, when contracting insurance, the managing institution for a pension plan or investment funds when contracting one of these products: financial institutions affiliated to the information exchange system (Swift), institutions in the same sector or with the same legal obligation regarding the prevention of fraud and money laundering.

— In the case of requesting the transfer of investment funds, the Bank will send the relevant data on the fund or investment company to the recipient institution, which will request the movement of your balance with economic or consolidated rights.

— In the case of money transfers, the loan institutions and other payment service providers, as well as payment systems and technological service providers related to those which send the data in order to carry out the transaction, may be obliged by the legislation in the country in which they operate, or by agreements by the State, to provide information on the transaction to the authorities or official organisations in other countries, both within and outside the European Union (EU), within the framework of preventing the financing of terrorism and serious forms of organised crime and to prevent money laundering.                    

— Furthermore, in the case of non-payment, the Bank will send the relevant data on the amount owed by the holder to the relevant files on non-compliance with financial obligations and financial solvency and creditworthiness, with which it has agreements (ASNEF, EXPERIAN and similar organisations).

— In the case of investigations, denunciations and procedures, the public administration, public organisation, court, tribunals and law enforcement agencies following the matter, and, internally, the areas or departments within the Deutsche Bank Group that co-operate in recovering information, clarifying, assessing and notifying the respective organisation of the facts.

7. Which data will be sent to third countries or international organisations?


Data will only be sent to countries outside the EU (called third countries) if it is necessary for orders to be carried out (e.g. orders of payment or securities), if required by law (e.g. tax information obligations), if you have given us your authorisation, or in the framework of the processing of data as service providers. If service providers in third countries are used, these are obliged to comply with instructions written on this matter by means of entering into an agreement that guarantees compliance with the level of data protection in Europe, with the standard contractual clauses established in the EU.

8. For how long will my data be stored?


We process and store your personal data as long as necessary for us to comply with our contractual and legal obligations. In this respect, it should be noted that our business relationship is a continuous, long-term obligation.

When any contracts, or the general relationship with the Bank, are cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.

After this period, the data can be deleted or kept anonymously, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis. 

9. What rights do I have in terms of data protection?


Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected. 

In particular, you can object at any time to our data to analyze your needs, habits and preferences, profiling and calculation of recruitment probabilities and to send you advertising as we have informed you in section 3. b.

The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

i. In writing, by means of a request sent to Deutsche Bank, S.A. Española, Servicio de Atención al Cliente (Customer Service), Apartado de Correos 416, 08080 Barcelona.

ii. by email, to the following email address: atenció

iii. by completing the form on the website at

It should be noted that for products such as insurance, the insurance company is responsible for this data and its processing, as defined in the relevant product’s documentation. It is, therefore, necessary to contact the insurance company’s customer service department in order to exercise your rights.

10. Am I obliged to provide information?


Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.