Logon

General Data Protection Information for Customers

How we process your data and your rights

- Information in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) -

Dear Sir/Madam,

Below you will find information about the processing of your personal data by us and the claims and rights to which you are entitled in accordance with the data protection law regulations.
The data that are processed in data and how such data are used are largely based on the requested or agreed services.

1 Who is responsible for the data processing and who can I contact?
Responsible body:

ETRIS Bank GmbH, Dieselstraße 45, D-42389 Wuppertal,
Tel.: +49 (0)2 02/6096 - 1500, E-mail: info@etrisbank.de

You can contact our data protection officer at:

ETRIS Bank GmbH, Dieselstraße 45, D-42389 Wuppertal,
Data Protection Officer, E-mail: datenschutz@etrisbank.de

2 What sources and data do we use?
We process personal data that we receive from you during the course of our business relationship. In addition, we process, to the extent required for the provision of our service, personal data that we receive from other companies of the E/D/E Group (in particular from Einkaufsbüro Deutscher Eisenhändler GmbH, Toolineo GmbH & Co. KG, Delcredit France SAS, Delcredit España SA), other central settlement associations or other third parties (e.g. Creditreform Wuppertal Brodmerkel & Kötting KG, Bureau van Dijk, trade credit insurance companies such as Atradius Kreditversicherung, branch of Atradius Crédito y Caucón S.A. de Seguros y Reaseguros as well as Euler Hermes Germany branch of Euler Hermes SA, collection companies such as Atradius Collections B.V., Germany branch) (e.g. for the execution of orders, the performance of contracts or on the basis of consent given by you). On the other hand, we process personal data that we have obtained from publicly accessible sources (e.g. debtors' registers, land registers, registers of companies and associations, press and media) and which we are permitted to process.

Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality), legitimation data (e.g. ID card data) and authentication data (e.g. specimen signature), tax-relevant data (e.g. tax number, tax identification number and tax residency). Furthermore, this may also include order data (e.g. payment order), application data (i.e. information you make available to us, e.g. when applying for a loan agreement), data from the honouring of our contractual obligations (e.g. turnover data in payment transactions, credit line, product data [e.g. deposit business, lending business including subsidised loans]), information about your financial situation (e.g. creditworthiness data, scoring/rating data and the origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. advice log), register data, data about your use of the telemedia we offer (e.g. time of accessing our websites, apps or newsletters, our pages that are clicked on or entries) as well as other data comparable to the stated categories.

3 What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

3.1 To honour contractual obligations (Article 6(1b), GDPR).
Personal data (Article 4, No. 2, GDPR) are processed for the purpose of providing and arranging banking transactions, financial services (e.g. factoring), in particular for the execution of our contracts or pre-contractual measures with you or with central settlement associations for the purpose of entering into the central settlement business transactions (payment processing and assumption of del credere liability) and the execution of your orders, as well as all activities associated with the operation and administration of a credit and financial services institution. As part of the lending business, personal data are also processed for the initiation, examination and administration of development loans refinanced via the development institutions NRW.BANK and Kreditanstalt für Wiederaufbau (KfW). More details are available for NRW.BANK at https://www.nrwbank.de/de/datenschutz/ and for KfW at https://www.kfw.de/KfW-Konzern/Datenschutz.html.

The data processing purposes primarily depend on the service or the specific banking product (e.g. account, loan, factoring, deposit, brokerage, online banking) agreed with you or your central settlement association and may include inter alia needs analyses, advice as well as the execution of transactions.

Further details about the purpose of the data processing can be found in the respective contractual documents and terms and conditions of business, which you have received from us or your central settlement association or another body that processes your data at its own responsibility.

3.2 As part of weighing up interests (Article 6(1f), GDPR)
Where necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests, or those of third parties, such as in the following cases:

- Consultation of and data exchange with credit agencies (e.g. SCHUF Holding AG, Creditreform Wuppertal Brodmerkel & Kötting KG, Bureau van Dijk) to determine creditworthiness or default risks. In this context, the information available at the credit agencies is forwarded to us. In conjunction with the promotional loan business, we also receive from the credit agencies personal data of the borrower's managing partners, in addition to the borrower's personal data, insofar as this is required for examination purposes, in particular for credit assessments. The credit agencies will not inform you again separately about the forwarding of data to us. You may request information from the aforementioned credit agencies at any time about the stored data relating to you, which they pass on to their affiliated companies for the purpose of assessing your creditworthiness. You can obtain more detailed information about data processing by the aforementioned credit agencies at https://www.schufa.de/datenschutz orhttps://www.creditreform.de/wuppertal/datenschutz or https://www.bvdinfo.com/de-de/privacy-policy.

- Hedging of our credit default risks via trade credit insurance companies such as Atradius Kreditversicherung, branch of Atradius Crédito y Caucón S.A. de Seguros y Reaseguros, Opladener Straße 14, D-50679 Cologne within the scope of the factoring business as well as Euler Hermes Germany branch of Euler Hermes SA, Friedensallee 254, D-22763 Hamburg within the scope of the central settlement business;

- Collection of receivables from debtors within the framework of the factoring business by collection companies such as Atradius Collections B.V., German branch, Opladener Straße 14, D-50679 Cologne and Atriga GmbH, Pittlerstraße 47, D-63225 Langen;

- Reviewing and optimising procedures for demand analysis and direct customer approach;

- Advertising or market and opinion research, insofar as you have not objected to the use of your data;

- Asserting legal claims and defence in legal disputes;

- Ensuring IT security and the bank's IT operations;

- Prevention and investigation of criminal offences;

- Video surveillance is aimed at collecting evidence in the event of criminal offences. It is, therefore, aimed at protecting clients and employees as well as safeguarding the premises rights.

- Measures to ensure building and facility security (e.g. access controls);

- Measures to ensure premises rights;

- Measures for business and risk management and further development of services and products.

3.3 Based on your consent (Article 6(1a), GDPR)
Insofar as you have granted us consent to process personal data for certain purposes (e.g. evaluation of payment transaction data for marketing purposes), the lawfulness of this processing shall be based on your consent. Granted consent may be withdrawn at any time. This also applies to the declarations of consent made to us prior to the application of the GDPR, i.e. prior to 25 May 2018.

Please note that your withdrawal only applies to the future. Processing that occurred prior to the withdrawal is not affected.

3.4 As a result of statutory requirements (Article 6(1), Point c, GDPR) or in the public interest (Article 6(1), Point e, GDPR)
As a bank, we are also subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act and tax laws) as well as banking supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority). The purposes of the processing include the creditworthiness check in relation to the respective customer or borrower (e.g. within the scope of central regulation: member / dealer / connecting house / trading partner; in the context of factoring: factoring recipients and debtors), the identity and age check, fraud and money laundering prevention, the honouring of control and reporting obligations under tax law, reporting obligations under supervisory law as well as the assessment and management of risks.

4 Who receives my data?
Within the bank, those offices that require your data to honour our contractual and legal obligations are granted access to your data. Processors appointed by us (Article 28, GDPR) may also receive data for these purposes. These are companies in the categories of credit services, processing of the factoring business, IT services, logistics, printing services, telecommunications, advice and consulting as well as sales and marketing.

With regard to the forwarding of data to recipients outside the bank, it should first be noted that, in accordance with the general terms and conditions of business agreed by you or the respective central settlement association and us, we undertake to maintain secrecy about all customer-related facts and evaluations of which we become aware (banking secrecy). We may only forward information about you if this is required by law, if you have consented or if we are authorised to furnish banking information. Under these conditions, recipients of personal data may be, for example:

- Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank and tax authorities) if a legal or official obligation applies.

- Other credit and financial services institutions or comparable institutions to which we forward personal data to perform the business relationship with you (depending on the contract: e.g. correspondent banks, credit agencies); in the case of the promotional lending business, for further decision-making on the promotional measure and/or implementation of the promotional measure: the promotional lending banks NRW.BANK and KfW.

- Service providers that we use within the scope of order processing relationships.

Further data recipients may be those bodies for which you have given us your consent to forward data or for which you have released us from banking secrecy in accordance with an agreement or consent.

Where necessary in the context of processing in accordance with the above point 3, you hereby release us from banking secrecy.

5 For how long are my data stored?
Where necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract. It should be noted that our business relationship is a continuing obligation that is intended to last for years.

In addition, we are subject to various storage and documentation obligations, which result, inter alia, from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG) and the German Money Laundering Act (GwG). The periods specified there for storage or documentation are two to ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases may run to thirty years.

6 Are data transferred to a third country or to an international organisation?
Data are only transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary to execute your orders (e.g. payment and securities orders), is required by law or you have granted us your consent. We shall inform you separately about the details, if required by law.

7 What data protection rights do I have?
Each data subject has the right to information in accordance with Article 15, GDPR, the right to rectification in accordance with Article 16,GDPR, the right to erasure in accordance with Article 17, GDPR, the right to restriction of processing in accordance with Article 18, GDPR and the right to data portability in accordance with Article 20, GDPR. With regard to the right to information and the right to erasure, the restrictions in accordance with Sections 34 and 35, BDSG apply. In addition, there is a right of appeal to a data protection supervisory authority (Article 77, GDPR, in conjunction with Section 19, BDSG).

8 Is there an obligation to provide data?
Within the scope of our business relationship, you are only required to provide personal data that are necessary for the establishment, execution and termination of a business relationship or that we are legally obliged to collect. Without such data, we shall usually be required to refuse to enter into the contract or execute the order or shall no longer be able to perform an existing contract and may need to terminate it.

We undertake, in particular in accordance with money laundering regulations, to identify you before the business relationship is established, for example by means of your identity card, and collect your name, place of birth, date of birth, nationality and residential address. For us to be able to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the German Money Laundering Act and notify us without delay of any changes that occur in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into the business relationship you request.

9 To what extent is there automated decision-making in individual cases?
As a matter of principle, we do not use fully automated decision-making in accordance with Article 22, GDPR, to establish and implement the business relationship. Should we use such procedures in individual cases, we shall inform you of this separately, insofar as this is required by law.

10 To what extent is my data used for profiling (scoring)?
On occasion we process your data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases, for example:
- Due to legal and regulatory requirements, we undertake to combat money laundering, terrorist financing and criminal offences that endanger assets. In this context, we also analyse data (e.g. in payment transactions). These measures are also aimed at protecting you.
- We use evaluation tools to inform and advise you about products in a targeted manner. These facilitate needs-based communication and advertising, including market and opinion research.
- We use scoring to assess your creditworthiness. This involves calculating the probability that a customer will meet their payment obligations in accordance with the contract. The calculation may include, for example, income, expenses, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, repayment of previous loans in accordance with the contract as well as information from credit agencies. The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated score values support us in our decision-making process when concluding products, and are included in our ongoing risk management.

Information about your right to object
In accordance with Article 21 of the General Data Protection Regulation (GDPR)

1. You have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6(1), Point e, GDPR (data processing in the public interest) and Article 6(1), Point f, GDPR (data processing based on weighing up interests). This also applies to profiling based on this provision of Article 4, No. 4, GDPR, that we use for credit checks or for advertising purposes.

If you make an objection, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

2. In individual cases, we process your personal data to perform direct advertising. You have the right to object at any time to the processing of personal data that affects you for the purpose of such advertising. This also applies to pooling where it is associated with such direct advertising.

Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

The objection may be made without honouring formal requirements, and should preferably be addressed to:

Please see the contact details in sub-section 1.