As of April 2018
Data Protection Notice according to the EU General Data Protection Regulation
With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. The details of which data are processed and how they are used depends primarily on the services and/or investment products requested or agreed in each case.
- Who is responsible for the processing of data and who can I contact?
Responsibility lies with:
ADREALIS Service Kapitalverwaltungs-GmbH (hereinafter also referred to as “KVG”)
Telephone: +49 (0) 40 228 66 09 – 0
Fax: +49 (0) 40 228 66 09 – 99
In case of any data protection related queries, our internal data protection officer can be reached at any time under the above mentioned business address.
2. Which sources and which data do we use?
We process personal data which we receive from our clients in connection with our business relationship. Moreover, we process personal data – to the extent necessary for the performance of our services – legitimately obtained (for example for the execution of orders, for the fulfillment of contracts or on the basis of your given consent) from other companies belonging to the XOLARIS group or from any other third parties (e.g. Federal Central Tax Office). Furthermore, we process personal data legitimately obtained from publicly accessible sources (such as registers of commercial establishments and associations, press, media, internet) which we are permitted to process.
Relevant personal data within pre-contractual relations with interested parties, in the master data setup as well as in the course of an authorisation or in connection with other parties with a right of disposal to a contract, can be:
Name, address/other contact details (telephone, e-mail address), date/place of birth, gender, nationality, language, marital status, capacity to contract, occupational group key/type of partner (employed/self-employed), identification data, authentication data (e.g. specimen signature), tax ID, FATCA status.
In the context of the use of products/services from the product categories listed below, further personal data may be collected, processed and saved in addition to the above-mentioned data. These primarily include the following:
Current or relevant former profession, detailed information about knowledge of and/or experience with securities (MIFID status), investment behavior and strategy (amount, frequency, risk tolerance), financial situation (wealth, debts, income from employment/self-employed income/income from trade and business, expenditure), predictable changes of the financial circumstances (e.g. reaching retirement age), tax-related information (e.g. on church tax liability), documentation data (e.g. consultation records).
Within the scope of the business relationship, in particular through contacts with clients in person, over the phone or in writing, which are either initiated by you or the company, additional personal data is created, e.g. information about the contact channel, date, reason and result; (electronic) copies of correspondence as well as information on the participation in direct marketing actions.
3. What is the purpose of processing your data (processing purpose) and on which legal basis does this take place?
We process the above mentioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG):
The purposes of the data processing are primarily based on the specific product chosen by you (cf. section 2.). Therefore, the purposes mentioned below may be existent individually or cumulatively.
a. For the fulfillment of contractual obligations (Art. 6 (1) b) GDPR)
The processing of personal data takes place for the purpose of providing business transactions and financial services in the course of the performance of contracts with our clients or within the scope of pre-contractual measures that follow your enquiry.
b. Within the scope of the balancing of interests (Art. 6 (1) f) GDPR)
Where necessary, we process your data above and beyond the actual performance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by third parties. Legitimate interests include, in particular, the following:
- Lodging legal claims and defence in case of legal disputes
- Ensuring the company’s IT security and IT operations
- Measures to manage business and further develop services and products
- Risk management within the group
c. As a result of your consent (Art. 6 (1) a) GDPR)
To the extent you have granted us consent to the processing of personal data for speciﬁc purposes (e.g. circulation of data within the group and/or to your investment advisor), such processing is legitimate on the basis of your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the effective date of the GDPR, i.e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future.
Data that were processed prior to the revocation are not affected thereby. We are happy to provide you with a status overview of the consents granted to us upon your request at any time.
d. On the basis of statutory regulations (Art. 6 (1) c) GDPR) or in the public interest (Art. 6 (1) e) GDPR)
Moreover, we, as a company, are subject to various legal obligations, i.e. statutory requirements (such as regulatory law, the Money Laundering Act, Securities Trading Act, tax laws) as well as to supervisory requirements (e.g. the Federal Financial Supervisory Authority). The purposes of processing include, among others, checking identity, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in KVG.
4. Who receives my data?
Within KVG, only those units will have access to your data who require them for the fulfillment of the contractual obligations.
Information about you may only be forwarded to third parties if legally required to do so, if you have given your consent or if we are authorised to provide information and/or if processors commissioned by us also guarantee compliance with secrecy and the provisions of the EU General Data Protection Regulation and the Federal Data Protection Act. Data is only passed on to the extent that is legally required. The types of data which may be passed on are specified under section 2.
Under the above mentioned conditions, recipients of personal data may, for example, be the following:
- Public authorities and institutions (such as the German Federal Bank, Federal Financial
Supervisory Authority, tax authorities, Federal Central Tax Office, etc.) on the basis of statutory or official obligations.
- Other credit and ﬁnancial services institutions, comparable institutions and order processors to whom we transfer personal data in order to conduct the business relationship with you.
- In detail: handling of bank enquiries, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, controlling, data screening for anti-money laundering purposes, data destruction, buying/sourcing, customer management, lettershops, marketing, reporting, research, risk controlling, telephony, video identification, website management, investment services, share register, fund management, auditing services, monetary transactions
Other recipients of data may be those bodies for which you have given your consent to data transfer or to which you have exempted us from the obligation of secrecy by agreement or consent.
5. Will data be transferred to a third country or an international organisation?
Data transfer to countries outside the European Union or the EEA (so-called third countries) will take place to the extent required for the execution of your orders (such as payment and security orders), and to the extent required by law (such as obligatory reporting under tax law) or you have given us your consent. In case service providers are used in third countries, such are obligated, in addition to written instructions, to comply with the level of data protection in Europe by way of conclusion of EU standard contractual clauses or other agreements stated in Art. 46, 47 GDPR. Insofar as your personal data are transferred to a third country, you can be provided with a copy of the respective agreements at any time upon written request. Please address your request to our internal data protection officer (see section 1.).
6. For how long will my data be stored?
We process and store the personal data provided by you only as long as it is necessary for the fulfillment of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation, designed to last long-term.
Our statutory obligations may, in particular, be the following:
- Compliance with obligations of retention under commercial or tax law: German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the Securities Trading Act . The time limits specified there for retention or documentation are two to ten years.
- Preservation of evidence under the statute of limitations. According to Secs. 195 et seqq. of the German Civil Code (BGB), these statutes of limitations may be up to 30 years, the regular statute of limitation being three years.
7. What are my rights with regard to data protection?
Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right of access and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 Federal Data Protection Act are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 Federal Data Protection Act). The competent supervisory authority is Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach.
Your express consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Note that such revocation will be valid only for the future. Processing that took place before the date of revocation is not affected.
8. Are you under any obligation to provide data?
The personal data which you provide within the scope of our business relationship are required for executing a business relationship and for compliance with the associated contractual obligations. As a rule, we would not be able to enter into a contract or execute an order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.
In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with sec. 4 VI Money Laundering Act and notify us without any delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue the intended business relationship.
9. To what extent will decision-making be automated (including profiling)?
As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR. In the event that we should use such processes in individual cases, we will inform you accordingly if required by law.
10. Information on your rights of objection
- Right to object based on individual cases
You have the right to object, for reasons relating to your particular situation, to the processing of personal data concerning you, that occurs on the basis of Article 6 (1) f) GDPR, at any time (data-processing on the basis of balancing of interests).
If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
Such an objection can be submitted in writing to the business address or sent by email to firstname.lastname@example.org.
Data Protection Notice (Data Protection Statement) for using the website of KVG
The web pages of KVG can be used without having to specify any personal data. However, should a data subject wish to use special services of our company through our website, the processing of personal data may, however, be required. Should the processing of personal data be necessary and there is no legal basis for such processing, we will generally obtain consent of the data subject.
The processing of personal data, such as the name, address, email address or telephone number of a data subject will always be in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection laws applicable to KVG. The purpose of this data protection statement is to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Moreover, this statement also informs data subjects of the rights they are entitled to.
KVG as data controller has implemented numerous technical and organisational measures to ensure the best possible protection of personal data processed through this website. However, the electronic transmission of data can, in principle, have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to transfer personal data to us through alternative means, for example, by telephone.
Cookies are used on KVG’s web pages. Cookies are text files that are stored on a computer system through a web browser.
The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an internet browser or other software programs. This is possible in most internet browsers. If the data subject deactivates the setting of cookies in the internet browser used, not all functions of our website may be usable to their full extent.
2. Collection of general data and information
Each time the website of KVG is accessed by a data subject or an automated system, it collects a series of general data and information. Such general data and information is stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites which are chosen by an accessing system on our website, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system, and (8) any other similar data and information that is intended to be used for threat defence in the event of attacks on our information technology systems.
When using these general data and information, KVG does not draw any conclusions about the data subject. Rather, this information is required to (1) deliver the content of our website correctly, (2) optimise the content of our website as well as its advertisement, (3) ensure the long-term operational capability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, KVG analyses anonymously collected data and information statistically and with the aim of increasing the data protection and data security of our company in order to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
3. Contact through the website
Due to legal provisions, the website of KVG contains information that enables a quick electronic contact to our company, as well as direct communication with us, which also includes a general address of electronic mail (e-mail address). If a data subject contacts the data controller by e-mail or through a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. There is no transfer of such personal data to any third parties.
4. Routine deletion and blocking of personal data
The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is provided for by the European legislator or other legislators in laws or regulations to which the data controller is subject to.
If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or other competent legislators expires, the personal data are routinely blocked or deleted in accordance with legal requirements.
5. Data protection for applications and during the application process
The data controller collects and processes the personal data of applicants for the purpose of handling the application procedure. Processing may also be carried out electronically. This is particularly the case if an applicant sends corresponding application documents to the data controller by electronic means, for example by e-mail or through a contact form on the website. In case of the conclusion of an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents will be deleted two months after notification of the rejection decision, provided that deletion does not conflict with any other legitimate interests of the data controller, for example, a burden of proof in proceedings under the General Act on Equal Treatment (AGG).
The section “Data Protection Notice (Data Protection Statement) for using the website of KVG” of KVG’s Data Protection Statement has been generated by the Data Protection Statement Generator of the Deutsche Gesellschaft für Datenschutz [German Association for Data Protection] that was developed in cooperation with the media law attorneys WILDE BEUGER SOLMECKE.
This is an English translation of the original German version.