Privacy Statement

Of the Association of Foreign Banks in Germany

We are pleased to welcome you to our website. We take the protection of your personal data very seriously and would like you to feel safe and comfortable when visiting our internet pages.

1. Performance of tasks under the statutes or rules of procedure

We process the data of our members and their employees, supporters, interested parties, business partners or other persons (collectively: “data subjects”) if we are involved in a membership relationship or other business relationship with them and perform the tasks assigned to us or are recipients or providers of services and benefits. In all other respects, we process the data of Data Subjects on the basis of our legitimate interests, e.g. if administrative tasks or public relations activities are involved.

For these data processing processes, we use a software that is operated on a web server provided by CRM Consults GmbH, Felsweg 14, 35435 Wettenberg, Germany. We have concluded a data processing agreement (AVV) with CRM Consults GmbH.

The data processed in this respect, the nature, scope and purpose of such processing and the necessity of its processing, shall be determined by the underlying membership or contractual relationship, from which the necessity of providing any data is also derived.

We delete data which are no longer required for the provision of our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data for as long as they may be relevant to the conduct of business and with regard to any warranty or liability obligations based on our legitimate interest in their fulfilment. The necessity of storing the data is regularly reviewed; in all other respects the statutory storage obligations apply.

• Type of data processed: personal data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject matter of contract, duration, customer category).
• Persons affected: Members and their employees, users (e.g. website visitors, users of online services), business and contractual partners.
• Purposes of processing: (Pre-)contractual services and performances, contact requests and communication, administration and replies to requests.
• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a GDPR), Fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

 

2. Website

To provide our website, we use a web server provided by Plus.line AG, Erlenstr. 2, 60325 Frankfurt am Main, Germany. We have concluded a data processing agreement (AVV) with Plus.line AG.

In order to protect your data in the best possible way, we use SSL encryption. All data that you transmit to our website cannot be read by third parties thanks to SSL encryption.

The following data are stored in the log files:

• browser type/browser version
• used operating system
• Referrer URL
• IP/ hostname of the accessing computer
• time of the server request
• user (only relevant in case of http authentication)
• request (downloaded content)
• status code (HTTP status code such as 200 OK)
• size of the returned object

These data cannot be assigned to specific persons. This data will not be merged with other data sources. Furthermore, these data will not be passed on to third parties and will only be used to maintain the operation (analysis and statistics purposes). Log files containing data listed above will be deleted after 180 days.

2.1. Plugins and embedded functions

We integrate functional elements into our online services that are obtained from the servers of their respective providers. These elements can be videos or contributions, for example.

Such integration always requires the third-party providers of this content to process the IP address of the users, as without the IP address they would not be able to send the content to their browsers. The IP address is therefore necessary for the display of these contents or functions. We strive to use only content whose respective providers use the IP address solely to deliver the content.

The data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context we would also like to draw your attention to the information on the use of cookies in this privacy statement.

• Type of data processed: User data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), content data (e.g. text entries, photographs, videos).
• Persons affected: Users (e.g. website visitors, users of online services), communication partners.
• Purposes of processing: provision of our online services, user-friendliness, contractual obligations, service, security measures, administration and replies to requests, contact enquiries and communication, direct marketing (e.g. by e-mail or post).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO)

Used services and service providers:

• YouTube videos & podcasts: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the display of advertisements: https://adssettings.google.com/authenticated.

2.2. Presence in social networks (social media)

We maintain online profiles within social networks and process user data in this context in order to communicate with the users who are active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users’ rights. With regard to US providers that are certified under the Privacy Shield or offer comparable guarantees of a secure level of data protection, we would like to point out that they thereby undertake to comply with the data protection standards of the EU.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are generally stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

• Processed data types: Personal data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of Processing: Contact requests and communication, Tracking (e.g. profiling based on interests and behavior, use of cookies), Marketing.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Eingesetzte Dienste und Diensteanbieter:

• LinkedIn: Soziales Netzwerk; Dienstanbieter: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland; Website: https://www.linkedin.com; Datenschutzerklärung: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (Gewährleistung Datenschutzniveau bei Verarbeitung von Daten in den USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active;  Widerspruchsmöglichkeit (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

3. Requesting Information Material and Establishing Contact

By sending your request, you consent to the electronic processing and storage of the contact data you have provided. This is done for the purpose of processing and answering your enquiry. We store your data for six months, unless a longer period is required to process your order or respond to your request or is required by law. We do not pass on any personal data to third parties.

If necessary, your contact data will also be used to send additional information material. You can revoke your consent to this use. Further information on this can be found at the end of the privacy policy.

4. Contents and Links to External Offers of Third Parties

Our website includes content and links from third party providers. We have no influence on whether third party providers store IP addresses, e.g. for statistical purposes. As soon as you are on the website of third parties, they are responsible for the data protection of their offers within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679.

4.1. Surveys

We use Microsoft Forms to conduct surveys. When selecting the third-party provider and its services, we observe the legal requirements. A data processing agreement has been concluded with Microsoft.

Within this framework, the information provided in the survey is processed and stored on the third-party provider’s servers.

The collection and processing of the data generated as part of the survey is carried out, among other things, for the purpose of collecting statistical data, for marketing and, if applicable, for publication in various publications.

The data processed in this context is determined by the underlying survey. By participating in the survey, you consent to the electronic processing and storage of the data you provide.

Personal data, such as name, company affiliation, address or contact details of the person participating in the survey, will only be processed in exceptional cases and only as voluntary information. Participation in the surveys is also possible without this information.

Data will only be passed on to third parties for the purpose of statistical evaluation resulting from the data collection and in anonymized form. No personal data will be passed on to third parties.

5. Newsletter

With your consent to receive our newsletter we have the possibility to inform you regularly about current developments and events.

We hold the authority over these distribution lists. We reserve the right to remove individuals from our mailing lists.

Reasons:

• Error messages or indications that persons have left the institute which has a business relationship with the association
• Private individuals who have no current or former relationship with the association
• Persons who, through their behavior or otherwise, cause damage to the association’s reputation

To register for the newsletters, we use a registration form to query the relevant distribution lists.

• Processed data types: Personal data (e.g. title, first name and surname), email address, company or institute affiliation
• Data subjects: Subscribers to our newsletters, employees from member institutes
• Purposes of processing: Information and communication, marketing
• Legal bases: Consent (Art. 6 para. 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

We use the Google service reCaptcha to determine whether a person or a computer makes a certain entry in our contact or newsletter form. Google uses the following data to check whether you are a human or a computer IP address of the end device used, the website that you visit on our site and on which the captcha is integrated, the date and duration of the visit, the identification data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha areas and tasks in which you have to identify images. The legal basis for the data processing described is legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to ensure the security of our website and to protect us from automated entries (attacks).

 

5.1 CleverReach

To send our newsletter we use the services of CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. This enables us to organize and analyze the sending of our newsletters. The data you enter to receive the newsletter, such as your e-mail address, is stored on CleverReach’s servers in Germany and Ireland. A data processing agreement (AVV) has been concluded with CleverReach.

With the help of CleverReach’s analysis tools, we can track how many recipients have opened their newsletter and how often links were clicked on in the newsletter. Details on CleverReach’s data analysis can be found at: https://www.cleverreach.com/en/features/reporting-tracking/

If you do not wish CleverReach to analyse your data, you must unsubscribe from the newsletter. Your data will be deleted from CleverReach’s servers if you unsubscribe. If this data has been transmitted to us for other purposes and elsewhere, it will remain with us.

Details of CleverReach’s privacy policy can be found at: https://www.cleverreach.com/en/privacy-policy/

Unconfirmed registrations as part of the double opt-in procedure are automatically deleted from CleverReach’s systems and servers after two months.

You can object at any time for the future by clicking on the unsubscribe link at the end of the newsletter or by sending us an informal e-mail with your revocation to verband@vab.de. Unsubscriptions are automatically deleted from CleverReach’s systems and servers after six months.

6. VAB Events

6.1. Advanced education offers (seminars, in-house trainings, work groups) of the VAB

We process the data of the participants of our educational offers in order to be able to provide our educational services to them. The collection and processing of your data is carried out for the purpose of organizing and carrying out the event and for communication in connection with the event.

The data processed for this purpose is determined by the underlying registration process. By registering for events, you consent to the electronic processing and storage of the contact data you have provided.

• Type of data processed: personal data (e.g. names, addresses of participants), payment data (e.g. invoice recipient), contact data (e.g. e-mail, telephone numbers), contract data (membership in the VAB).
• Persons affected: Employees of member companies, interested parties, business and contractual partners.
• Purposes of processing: Execution of the event and communication in connection with the event.
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), Fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO), Legal obligation (Art. 6 para. 1 sentence 1 lit. c. DSGVO), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).

 

The data will only be passed on to third parties for the purpose of carrying out the event as far as necessary (e.g. admission control of the host).

Your data will be deleted after the event, unless they are subject to a longer retention period due to other legal requirements.

6.2. Receptions and other in-person events organized by the VAB

The collection and processing of the data of the invited and participating persons is carried out for the purpose of the organization and execution of the event as well as communication in connection with the event.

The data processed in this context is determined by the underlying registration process. By registering for events, you consent to the electronic processing and storage of the contact data you have provided.

• Type of data processed: inventory data (e.g. names, addresses of participants), contact data (e.g. e-mail, telephone numbers)
• Persons concerned: Employees of member companies, interested parties, business and contractual partners, Persons in public life.
• Purposes of processing: organization and execution of the event and communication in connection with the event.
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).

The data will only be passed on to third parties for the purpose of the execution of the event to the extent necessary (e.g. access control by the landlord).

Your data will be deleted after the event, unless they are subject to a longer retention period due to other legal requirements.

6.3. Digital events (meetings, video conferences, webinars etc.) of the VAB

We use platforms and applications from Cisco Webex, ecosero and Microsoft Teams for our audio conferences, webinars and other types of video and audio meetings. We comply with the legal requirements when selecting third-party providers and their services. Data processing agreements have been concluded with Cisco Webex, ecosero and Microsoft.

In this context, data of the persons participating in the communication are processed and stored on the servers of the third-party providers, as far as they are part of communication processes with us. Such data may include, in particular, registration and contact data, entries in chats and shared screen contents.

• Type of data processed: personal data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. dial-in times and duration), meta/communication data (e.g. device information, IP addresses, browser information).
• Persons concerned: Employees of member institutions, interested parties, communication partners, users (e.g. website visitors, users of online services).
• Purposes of processing: organization and execution of the event and communication in connection with the event, contact requests and communications, office and organizational procedures
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).

6.4. Recordings

Face-to-face and online events may be recorded and distributed by the organizer. Individual participants may be identifiable through video or audio recordings. This is the case, for example, if a participant speaks up during the recording or enters the area in front of the camera. However, specific recordings of participants or the list of participants are not made.

• Processed data types: Personal master data (e.g. name, name of employer, image recordings and audio recordings).
• Data subjects: Employees of member companies, interested parties, business and contractual partners, users (e.g. event participants).
• Purposes of processing: Provision of recordings to participants; commercial use; own publications; use on our website (for a limited period after the end of the event; use in video productions; lecture, educational and illustrative purposes.
• Retention period of the recordings: The recordings will be kept for as long as necessary for the aforementioned purposes. The recordings may be stored internally by VAB for an unlimited period of time, e.g. to secure legal claims under copyright law by providing evidence of original recordings.
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

7. Member Area

Only registered employees from our circle of members have access to the protected member area of our website. Upon request to verband@vab.de, the individual access coordinates (user name and password) are sent to the user. The collection and processing of the user’s data is carried out for the purpose of checking their authorization to access the member area. In order to process the user’s request and activate access to the member area, the contact details provided (surname, first name, member institution, e-mail address) are processed and stored electronically. The user receives a randomly generated password from us. The user can then reset this password via “Forgot password” and assign a new password themselves. The association expressly recommends this step. The user has the option of having us deactivate access to the member area at any time. To do so, simply send a message stating your name and e-mail address to verband@vab.de.

Your personal rights

You have the following rights:

• Right of access, Art. 15 DSGVO
• Right to rectification, Art. 16 DSGVO
• Right to erasure, Art. 17 DSGVO
• Right to restriction of processing, Art. 18 DSGVO
• Right to data portability, Art. 20 DSGVO
• Right to object, Art. 21 DSGVO

If you wish to make use of any of these rights, please contact the data protection officer of VAB. You will find the contact details at the end of the declaration.

It is also possible to lodge a complaint with a supervisory authority.

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Art. 6 para. 1 sentence 1 lit. a) GDPR (consent), Art. 6 para. 1 lit. e) DSGVO (data processing in the public interest) and Art. 6 para. 1 lit. f) DSGVO (data processing on the basis of a weighing of interests).

If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

The objection can be directed formally with the subject “Objection” under indication of your name, your (vocational) address to the following contact:

Verband der Auslandsbanken in Deutschland e. V.
Data Protection Officer
Weißfrauenstraße 12-16
60311 Frankfurt am Main
datenschutz@vab.de