Data Protection Policy - prospect


The processing of your personal data is described below, as well as the rights that serve you in accordance with the data protection regulations in force: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the regulations that it develops, hereinafter referred to as the ‘General Data Protection Regulation’ (GDPR). The type of data processed and the use of the data may vary in accordance with the relationship that we have established with you and the services and products requested and/or contracted.
The Bank will update you regularly of any updates made to this content. You can access the updates to this Data Protection Policy on the Bank’s website in the ‘Data Protection Policy’ section. The website details are provided below. You can also access the Cookies Policy on the website in the ‘Cookie Policy’ section.

1. Who is responsible for processing data and who can I contact?


The organisation in charge is:
Deutsche Bank S.A. Española
Registered address: Paseo de la Castellana 18, 28046 Madrid

Customer service address for the exercise of rights:
Deutsche Bank S.A. Española
Servicio de Atención al Cliente (Customer Services)
Apartado de Correos 416, 08080 Barcelona, Spain
Email address:                    

Data Protection Officer (DPO): If requested, your complaint may be directed internally to the DPO once submitted to Customer Services at the aforementioned address. 

2. Which sources and data do we use?


We process the personal data that we receive within the framework of the business relationship that we have with our clients.

We consider that necessary, relevant personal data includes, and is not limited to, the following data required to initiate the business relationship with the holder or client, and that will be required throughout the course of the relationship in order to grant, contract and/or follow up a specific product/service:

(i) Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

(ii) Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

(iii) Housing type and detail (rented/owned), financial situation (assets, debt, solvency, income from employment/being self-employed, business activity, expenses, etc.), foreseen changes to financial situation (e.g. reaching retirement age, specific/main financial or investment objectives.

(iv) Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

(v) Credit and solvency information and risk, taking into account data available in shared credit systems, such as the National Association of Financial Credit Institutions (ASNEF) and EXPERIAN, the Risk Information Centre (CIR) at the Bank of Spain and financial information verification sources.

(vi) Business data. This refers to data resulting from the proposal or contracting of products and services, such as movements and transactions, susceptibility to new contracts, the analysis of cookies and the visits and use of the Bank’s remote channels, social networks, as well as the products/services consulted.

(vii) Information derived from the registration and recording of telephone conversations and communications maintained with the Bank, as a result of internal quality controls performed on customer service phones and the obligation to maintain these records (MIFID - Financial Instruments Market regulations), as long as the channel and medium used (commercial or similar) is subjected to this measure.

(viii) Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hardcopy and digital copy, and, in general, documentation and information on contact made with the client by different means, including marketing campaigns.

3. For what purpose do we process your data (purpose of processing) and on what legal basis?


The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

a. Within the framework of information request or the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR)


Personal data is processed in order manage the request received and / or maintain the Bank's relationship with the owner.

This data processing may include needs analysis, advice, management and the conducting of transactions.

b. Justified by legitimate interest (Art. 6.1. f) of the GDPR)


When necessary, we process your personal data to meet our legitimate interests or those of third parties, For example:

— To consult and exchange data with credit information systems, in order to determine solvency and non-payment risks, the evaluation of risk and expert analysis by means of scoring and similar automated techniques, within the framework of the evaluation of operations, the granting of loans and the risk profile.

— To analyse client needs, consumer behaviour and preferences: including the segmentation and profiling of clients and the calculation of the probability of taking on a contract.

— For advertising, market and opinion studies using different means, as long as the client has not expressed opposition to their data being used for this purpose and these are referred to financial products commercialized by the Bank.

— To exercise legal rights and defence in the case of disputes.

— For the security of the Bank, the network and the infrastructures of the technological systems.

c. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR)

As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations.

Similarly, we process data on the same legal basis in the following cases: the analysis of solvency and credit, verification of identity, the prevention of money laundering, compliance with obligations for tax control and the evaluation and management of risks in the Bank and the Deutsche Bank Group.

In the case of investment products and financial instruments, the Bank is obliged to assess the investment profile, in order to advise and recommend the appropriate type of product to the client, and, additionally, to keep records of communication and telephone conversations with the client, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

4. Who receives my data?


Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

5. For how long will my data be stored?


We process and store your personal data as long as necessary to meet your request and maintain our commercial relationship.

Once attended your request or relationship with the Bank is cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.
After this period, the data can be deleted or kept anonymously, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis. 

6. What rights do I have in terms of data protection?


Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected. 

In particular, you can object at any time to our data to analyze your needs, habits and preferences, profiling and calculation of recruitment probabilities and to send you advertising as we have informed you in section 3. b.

The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

(i) In writing, by means of a request sent to Deutsche Bank, S.A. Española, Servicio de Atención al Cliente (Customer Service), Apartado de Correos 416, 08080 Barcelona.

(ii) by email, to the following email address: atenció

(iii) by completing the form on the website at

7. Am I obliged to provide information?


Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.