Data Protection Policy - Representatives, Attorneys or Authorized


The processing of your personal data is described below, as well as the rights that serve you in accordance with the data protection regulations in force: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and the regulations that it develops, hereinafter referred to as the ‘General Data Protection Regulation’ (GDPR). The type of data processed and the use of the data may vary in accordance with the relationship that we have established with the owner / client you represent or have authorizations or attorney powers, and the services and products requested and/or contracted.
We request that you provide this information to those people who currently have powers of representation, or will do so in the future, as well as financial beneficiaries (beneficial owner/final beneficiary), and other third parties whose information you have provided to us through the services and products, and the relationship that you have with the Bank, and whose information has, therefore, been processed. This includes beneficiaries, those authorised to operate in contracts and by means of remote channels, and also representatives and guarantors.

The Bank will update you regularly of any updates made to this content. You can access the updates to this Data Protection Policy on the Bank’s website in the ‘Data Protection Policy’ section. The website details are provided below. You can also access the Cookies Policy on the website in the ‘Cookie Policy’ section.

1. Who is responsible for processing data and who can I contact?


The organisation in charge is:
Deutsche Bank S.A. Española
Registered address: Paseo de la Castellana 18, 28046 Madrid

Customer service address for the exercise of rights:
Deutsche Bank S.A. Española
Servicio de Atención al Cliente (Customer Services)
Apartado de Correos 416, 08080 Barcelona, Spain
Email address: atenció                    

Data Protection Officer (DPO): If requested, your complaint may be directed internally to the DPO once submitted to Customer Services at the aforementioned address. 

2. Which sources and data do we use?


We process the personal data that we receive from you as the representative/proxy/authorised party of a contract holder/client. In addition to the information provided by you, we may obtain data from publicly accessible sources (property registers, entities registers, registers of associations, the press, the media, the Internet). 

We consider personal data of the representative or authorised person, whose data processing may be necessary and / or relevant, those data that required to manage the business relationship with the company that you represent:

(i) Identification data, family members and contact details: such as the holder’s name, addresses/other contact details (telephone, email address, contact maintained), handwritten signature, date/place of birth, gender, nationality, marital status, number of children, and, if relevant, legal representative.

(ii) Professional situation and activity, such as the type of work, sector, and whether employed/self-employed.

(iii) Information on the knowledge and experience of investment products (scoring and profiling, in accordance with the regulations for investment service markets and markets in financial instruments (MIFID)), investment relationship/strategy (reach, frequency, risk profile).

(iv) Tax information. This includes, for example, address/residency and scoring of the holder for the purpose of tax regulations, such as the Foreign Account Tax Compliance Act (FATCA), regarding mutual assistance between the USA and Spain, or the Common Reporting Standard (CRS) for international mutual assistance with the Organisation for Economic Co-operation and Development (OECD), and the profile assigned.

(v) Information resulting from compliance with the obligation of due diligence and other obligations established in or as a result of the regulations to prevent money laundering and financing of terrorism, including the illicit origin of funds, identification of a person from a political background or close family, or the beneficial owner or final beneficiary, as well as any other relevant information for the purpose of evaluating a situation, transaction or ownership, and the associated risk in this matter.

(vi) Identity and authentication data in Bank systems, such as passwords and remote banking coordinates, digital and/or electronic signature and, if relevant, biometric data. 

(vii) Data resulting from the register or recording of telephone conversations and communication with the Bank, as a result of the obligation to keep these records (in accordance with the regulations of the Markets in Financial Instruments Directive (MIFID), as long as the channel or medium used (commercial or other) is subject to this measure.

(viii) Other data contained in the documentation provided to the Bank or obtained as a result of the relationship with the Bank, such as an identity document (national identity number, passport or other), payslips, notarial documents, both in hardcopy and digital copy, and, in general, documentation and information on contact made with the client by different means, including marketing campaigns.

3. For what purpose do we process your data (purpose of processing) and on what legal basis?


The aforementioned personal data is processed in accordance with the provisions of the GDPR, and the legal basis defined below:

a. Within the framework of the fulfilment or compliance with contractual obligations (Art. 6.1 b) of the GDPR)

Personal data is processed in order to maintain the business relationship between the Bank and the contract holder you represent, to conduct banking operations and provide financial services, to contract and conduct transactions and orders, within the framework of compliance with our clients’ contracts, to conduct the necessary pre-contractual measures, or at the request of the interested party, including the control and maintenance of these measures.

On the same basis, the Bank conducts the management and demands for repayment of overdrafts and other non-payments, for itself or for third parties, using the means available to claim and obtain the outstanding amounts. The Bank consequently contacts the client using the means considered relevant, and the contact details provided by the holder or by a third party. 

b. Justified by legitimate interest (Art. 6.1. f) of the GDPR)

When necessary, we process your personal data to meet our legitimate interests or those of third parties, e.g.:

— To exercise legal rights and defence in the case of disputes.

— For the security of the Bank, the network and the infrastructures of the technological systems.

— To prevent, manage and respond to fraud and crime, such as money laundering and other types through remote operations (online banking or using and making transactions with debit and credit cards).

— To control regulatory, operational and credit risks within the Deutsche Bank Group.

— For internal administrative management within the Deutsche Bank Group

c. Consent (Art. 6.1a) of the GDPR)

If you have given us your consent, we will conduct additional data processing of which you were informed and for which you gave your consent. You can revoke your consent at any time. This is also applicable for consent granted before the coming into force of the EU’s General Data Protection Regulation on 25 May 2018. It should be noted that opposition to certain data processing or revoking consent is not retroactive. You can obtain further information, at any time, on the authorisations that you have granted us for the different types of data processing in section 9.

d. Due to legal imperative or for the benefit of public interest (Art. 6.1 c) and e) of the GDPR)

As a financial institution, the Bank is subject to different legal obligations (e.g. the Regulation for Banks on the Prevention of Money Laundering and the Financing of Terrorism, Securities Regulation, Regulation on Investment Services, Markets in Financial Instruments Directive, Tax Law), and to different types of monitoring regulations. These obligations and supervision may require additional data to be processed. 

In the case of investment products and financial instruments, the Bank is obliged to assess the knowledge and experience of the client in such products and, additionally, to keep records of communication and telephone conversations with the client, as well as email records, as part of the required due diligence and compliance in this area. This data may be required by the Spanish National Securities Market Commission and Courts.

4. Who receives my data?


Within the Bank, the departments that require your data in order to comply with their contractual and legal obligations have access to your data. Our service providers and financial agents can access the data for the same purpose, under the due data protection guarantees.

Furthermore, we can process information about you when necessary due to or resulting from legal provisions, when required by the contractual relationship that we have with you, and when you have given your consent or in the case of legitimate interest.

On this basis, the recipients of personal data, may be, for example:

—  Public organisations, institutions and supervisory organisations, such as the Bank of Spain, the European Central Bank, the Spanish National Securities Market Commission, and the Spanish Directorate General for Insurance and Pension Funds.
The Bank is obliged to notify the Risk Information Centre (CIR) of the Bank of Spain of any operation that has a risk for the institution. It is also obliged to notify the Commission for the Prevention of Money Laundering (SEPBLAC) of any indication or suspicion of an operation as part of the prevention of money laundering and the financing of terrorism, and also to inform the Commission of the opening, cancellation and holding of current accounts, savings accounts, securities or fixed-term deposits, thereby providing the identity data of its contract holders, representatives and authorised parties of all types, or any person with the power of disposal over this, by means of the Financial Ownership File, so that the data collected is available to legal organisations in the case of investigations relating to money laundering.

— Companies within the Deutsche Bank Group and the parent company, within the framework of compliance with regulations and the prevention of money laundering and fraud, and for administrative purposes internally within the Group.

— In the case of investigations, denunciations and procedures, the public administration, public organisation, court, tribunals and law enforcement agencies following the matter, and, internally, the areas or departments within the Deutsche Bank Group that co-operate in recovering information, clarifying, assessing and notifying the respective organisation of the facts.

5. Which data will be sent to third countries or international organisations?


Data will only be sent to countries outside the European Union or EU (called third countries) if it is necessary for orders to be carried out (e.g. orders of payment or securities), if required by law (e.g. tax information obligations), if you have given us your authorisation, or in the framework of the processing of data as service providers. If service providers in third countries are used, these are obliged to comply with instructions written on this matter by means of entering into an agreement that guarantees compliance with the level of data protection in Europe, with the standard contractual clauses established in the EU.

6. For how long will my data be stored?


We process and store your personal data as long as necessary for us to comply with our contractual and legal obligations. In this respect, it should be noted that our business relationship is a continuous, long-term obligation.

When any contracts, or the general relationship with the Bank, are cancelled, and if no complaints or amounts are outstanding by the Bank, the data will remain blocked, as long as no legal actions have been prescribed that could be filed by the parties, resulting from the services and products contracted, or the liabilities required as a result of these services or products, and as long as the storage periods defined by the relevant regulations have not finished. These can vary, depending on the case.

After this period, the data can be deleted or kept anonymously, meaning that it is not possible to identify the person referred to. In this way, the data can be used for statistics and internal analysis. 

7. What rights do I have in terms of data protection?


Every person has the right to access their information, in accordance with Art. 15 of the GDPR, to rectify their data (Art, 16 of the GDPR), to erase it (Art. 17 of the GDPR), to restrict the processing of their data (Art. 18 of the GDPR), to oppose it (Art. 21 of the GDPR), and the right to data portability (Art. 20 of the GDPR). All this is in accordance with the cases and the manner and means defined in the regulations on data protection. Similarly, every person has the right to file a complaint to an authority controlling data protection (Art. 77 of the GDPR).

You can revoke, at any time, the consent granted for the processing of your personal data. This is also applicable in the case of consent provided prior to the EU’s General Data Protection Regulation coming into force on 25 May 2018. It should be noted that revoking and opposing data cannot be retrospective. Data processed before it is revoked and opposed will not be affected. 

The requesting party must provide an identity document (copy of national identity number, passport, foreign resident identification number, etc.) and contact the Bank by means of the channels designed for this purpose:

i. In writing, by means of a request sent to Deutsche Bank, S.A. Española, Servicio de Atención al Cliente (Customer Service), Apartado de Correos 416, 08080 Barcelona.

ii. by email, to the following email address: atenció

iii. by completing the form on the website at

It should be noted that for products such as insurance, the insurance company is responsible for this data and its processing, as defined in the relevant product’s documentation. It is, therefore, necessary to contact the insurance company’s customer service department in order to exercise your rights.

8. Am I obliged to provide information?


Within the framework of our business relationship, you must provide us with the personal data necessary to establish and implement the business relationship and to comply with the relevant contractual obligations, or to provide information that we are obliged to collect by law. Without this information, we will generally be obliged to reject the contract or the order and cannot continue to carry out the existing contract, and we will, therefore, be obliged to terminate the contract.

In particular, in accordance with the legal provisions on the prevention of money laundering, prior to beginning a business relationship, we are obliged to confirm your identity, for example, by means of your national identity document, and collect and store your name and surname, place and date of birth, nationality, and postal address. In order to continue complying with this legal obligation, you must provide us with the necessary information and documentation, in accordance with this regulation, and also notify us, without delay, of any changes to your information during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship initiated.