This general data protection notice provides information about how your personal data is processed by DZ BANK and your rights as a data subject as per data protection legislation.

The general data protection notice is essentially addressed to all persons affected by data processing who are in contact with us now or will be in the future and thus will or may be subject to the processing of personal data in the future.

This includes, in particular, our customers, prospective customers of our products or our company, public authorities, as well as contractors – in each case including their contact persons, employees, authorised representatives, and persons with legal authority to represent them, as well as the beneficial owners of our customers who are required to be disclosed. Furthermore, these notices also apply to potential co-obligors of a loan, third-party guarantors, and other data subjects within their sphere.

The specific data and the manner in which it is processed is selected according to the agreements between you and DZ BANK that have been concluded or requested. For this reason, some parts of this privacy policy may not be relevant in your case.

1 Who is responsible for data processing and who can you contact?

Controller:
DZ BANK AG
Deutsche Zentral-Genossenschaftsbank, Frankfurt am Main
(DZ BANK)
Platz der Republik
60325 Frankfurt am Main
telephone: +49 69 7447-01
fax: +49 69 7447-1685
e-mail: mail@dzbank.de

You can contact our data protection officer at the same address as mentioned above (DZ BANK AG)

or via
telephone: +49 69 7447-94101
fax: +49 69 427267-0539
e-mail: datenschutz@dzbank.de

2 What sources and data does DZ BANK use?

DZ BANK processes personal data of prospective customers, customers, as well as all other natural persons who are or come into contact with the bank, such as guarantors, authorised representatives, agents, representatives or employees of legal entities, as well as visitors to our websites and apps, or users and applicants who create a user account or use these services.

We process personal data that we receive from our customers in the context of our business relationship. Wheeler it is required in order for us to provide Out services, we also process personal data provided to us by other companies or third parties whenever we are permitted to do so (e.g. in order to execute orders, perform contracts or on the basis of your consent). We also process personal data that we are permitted to acquire from publicly accessible sources (e.g. debtors reports, title registers, trading and association registers, the press, the internet, media sources, etc.).

Relevant personal data can include: name, address and other contact information, date and place of birth and nationality, legitimation information (e.g. ID information) and authentication information (e.g. sample of signature). It also includes order data (e.g. payment order, securities order), data related to the fulfilment of our contractual obligations (e.g. revenue data from payments processing, credit limits, product data [e.g. deposits, loans and custody account business]), information about your financial situation (e.g. credit rating, the source of your assets), documentation data (e.g. records of advice that has been given), register data, data about how you use our telemedia offerings (e.g. the time of accessing websites and apps, and registering for newsletters) and other similar data.

We also process information about which contact partners assigned to us or representatives of companies commissioned by us are responsible for which deals or topics and – if we have received this information – which tasks and decision-making powers the contact partners have. This may include information regarding the extent to which a contact partner is authorised to act on behalf of the company or their general power of attorney and samples of signatures.

3 For what purpose does DZ BANK process your data and on what legal grounds?

DZ BANK processes personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and national data protection requirements.

3.1 In order to fulfil contractual obligations (Article 6(1b) of the GDPR)
We process your personal data in order to provide and broker banking transactions, financial services and insurance and real estate transactions, particularly in order to perform our contracts with you or to take steps prior to entering into contracts. We also process your personal data in the context of the execution of our orders, as well as for the purpose of activities related to the operation and administration of a credit or financial services institution.

The purpose for which your personal data is processed here is dependent on the specific product in question (e.g. account, credit card, securities, deposits, brokerage). These purposes can include needs assessments, advice, asset management and performing transactions. Additional details regarding the purpose for which your personal data is processed are provided in the relevant contract documents or the terms and conditions of use.

3.2 For the purpose of legitimate interests (Article 6(1f) of the GDPR)
Where necessary, DZ BANK processes data beyond the actual performance of the contract in order to safeguard the legitimate interests of DZ BANK or third parties, provided that your interests in excluding the processing do not override these interests. Examples include:

• consulting and exchanging information with information providers in order to identify credit and default risks in accordance with national regulations;
• reviewing and optimising the processes we use to analyse your needs and make contact with customers directly, including customer segmentation and calculating the probability of closing;
• marketing or market and opinion research, unless you have stated that your data may not be used for these purposes;
• asserting legal claims and defending against legal disputes;
• guaranteeing the security and functionality of DZ BANK’s IT system;
• prevention and investigation of criminal offences, e.g. fraud prevention 
• Measures to promote the integrity and proper functioning of the financial markets as well as the stability of the financial system, including the prevention of disadvantages for participants in payment transactions
• building and facility security measures (e.g. access control),
• measures for ensuring that only authorised parties are granted access to data,
• measures related to management and the improvement of services and products,
• risk management within the DZ BANK Group

3.3 On the basis of your consent (Article 6(1a) of the GDPR)
Where you have given DZ BANK your consent to process personal data for specific purposes (e.g. disclosure of data within the DZ BANK Group, analysis of payment transaction data for marketing purposes), the lawfulness of such processing is based on your consent. Consent that has been granted may be revoked at any time. Please note that such revocation only takes effect for the future. Processing activities that took place before the revocation are not affected.

3.4 On the basis of statutory obligations (Article 6(1c) of the GDPR) or in the public interest (Article 6(1e) of the GDPR)
Legal obligations for DZ BANK arise directly from applicable laws (e.g. the German Banking Act, the Anti-Money Laundering Act, the Securities Trading Act, tax laws) and from regulatory requirements (e.g. those of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank, and the Federal Financial Supervisory Authority – BaFin). The purposes of processing include, among others, creditworthiness assessments, identity and age verification, prevention of fraud and money laundering, compliance with tax control and reporting obligations, as well as the assessment and management of risks within DZ BANK and the DZ BANK Group.

4 Who receives your data?

Your data is only made available within the bank to the extent required in order for us to comply with our contractual and statutory obligations. Contractors which we use (Article 28 of the GDPR) may also receive data for the aforementioned purposes. These include credit agencies, IT service providers, logistics companies, printers, telecommunication providers, collection agencies, consulting agencies and sales and marketing companies.

Whenever the personal data of our customers is provided to recipients outside of the bank, we will ensure that all of the customer-related information and assessments which we become aware of are protected by the general confidentiality terms which have been agreed between us (banking security). We may only disclose information about our customers if this is required by law, if our customers have released us from our banking secrecy obligations pursuant to an agreement or within the scope of a declaration of consent, or if we are authorised to provide banking information. If we are required to do so on the basis of a statutory obligation or an official order, personal data may be provided to the following recipients, among others:

• Public authorities and institutions (e.g. Deutsche Bundesbank, national financial supervisory authorities, European Banking Authority, central banks, financial and law enforcement authorities) where there is a legal or regulatory obligation;
• Other credit and financial institutions, comparable entities or intermediary bodies to which DZ BANK transfers personal data in order to conduct the business relationship with you (depending on the contract, e.g. companies of the Cooperative Financial Network Volksbanken Raiffeisenbanken, correspondent banks, custodians, stock exchanges, credit agencies, as well as companies providing services related to the detection and prevention of fraud and fraudulent patterns);
• Other companies within the DZ BANK Group or the Cooperative Financial Network for risk management purposes as required by legal or regulatory obligations. 

Your personal data may also be provided to other recipients if you have given us your consent or you have agreed that we are not subject to banking secrecy obligations and / or if we are authorised to transfer your personal data for the purpose of pursuing a legitimate interest. Under certain circumstances, your data may be provided to additional recipients due to the nature of the contract. These circumstances will be specified in the contract documents or the terms for the transaction in question.

5 Is data transferred to a third country or an international organisation?

A transfer of data to third countries (i.e. countries outside the European Economic Area – EEA) only takes place if it is necessary for the execution of your instructions (e.g. payment or securities transactions), required by law (e.g. tax reporting obligations), you have given us your consent, or in the context of processing by a data processor.

Within the scope of transferring data to its foreign branches, DZ BANK Frankfurt has ensured its employees working at the branches adhere to DZ BANK’s Frankfurt internal data protection policies and guidelines and to a level of data protection that corresponds to that at DZ BANK Frankfurt (written guarantee on the adequate level of data protection at the foreign branches).

6 For how long is your data stored?

DZ BANK processes and stores all necessary personal data for the duration of our business relationship. This includes the periods required to prepare and wind up a contract. Please note that our business relationship, especially to our customers, is likely to last for a number of years.

In addition, DZ BANK is subject to various retention and documentation obligations arising, among other things, from national commercial and tax  egislation (e.g. the German Commercial Code, the Fiscal Code), as well as legal requirements specific to the banking sector (e.g. the German Banking Act, the Anti-Money Laundering Act). The retention and documentation periods prescribed by these laws in Germany may be up to ten years.

The retention period is ultimately determined on the basis of national statutory limitation periods. Sections 195 et seq. of the German Civil Code, for example, specify a standard limitation period of three years. However, these limitation periods can last up to 30 years in certain circumstances.

In all cases, the standard retention periods described here may be extended if such data is required to assert, exercise or defend legal claims.

7 What rights do you have as a data subject?

Every data subject has a right of access in accordance with Article 15 of the GDPR, a right to rectification in accordance with Article 16 of the GDPR, a right to erasure (“right to be forgotten”) in accordance with Article 17 of the GDPR, a right to restriction of processing in accordance with Article 18 of the GDPR, a right to data portability in accordance with Article 20 of the GDPR, a right to object in accordance with Article 21 of the GDPR (specific information provided later on in this data protection notice). You also have the right to lodge a complaint with a supervisory data protection authority in accordance with Article 77 of the GDPR.

8 Are you obliged to provide your data?

You are only required to provide the personal data that is necessary in order to establish, implement and terminate a business relationship. You are also required to provide personal data that we are legally obliged to collect. Without this data, we will not normally be able to conclude the contract or execute your order. We may also be required to terminate an existing contract that we are unable to perform.

In particular, under anti-money laundering regulations, DZ BANK is required to identify its customers prior to establishing a business relationship by means of a valid official identification document (e.g. identity card). In this process, DZ BANK must collect information such as name, date of birth, nationality, address, and details of the identification document itself. If this information and documentation are not provided to DZ BANK, the bank is not permitted to establish or continue the desired business relationship.

9 To what extent is your data used for automated decision-making?

We do not use any fully automated decision-making processes in order to establish and implement the business relationship in accordance with Article 22 of the GDPR. Should DZ BANK be legally required to do so, we will inform you if we use these processes in your individual case.

10 Is your data used for profiling?

Some of your data is processed automatically by DZ BANK in order to evaluate specific personal aspects (profiling). Profiling is used, for example, in the following cases:

• We are required to combat money laundering, the financing of terrorism and criminal acts that would endanger assets in accordance with statutory and regulatory requirements. Data (including payments processing data) is analysed for this purpose. These measures also help to keep you safe.
• We use analysis tools so that we can provide you with tailored information about DZ BANK products and advice. These tools enable us to communicate with you in a manner based on your needs and engage in marketing, including market and opinion research.
• We use scoring for the purpose of credit checks. It is used to calculate the probability of a customer meeting their contractual payment obligations. The calculation is based on a number of factors, including your income, expenses, liabilities, occupation, how long you have been employed, prior experience from the business relationship, whether or not previous loans were repaid on time and information from credit agencies. We use an established statistical process for scoring purposes. Scores help us to make decisions and are incorporated into ongoing risk management.

11 Information regarding your right to object under Article 21 of the GDPR

11.1 Right to object on a case-by-case basis
You have the right to object at any time on grounds relating to your particular situation to processing of personal data concerning you which is based on point (e) of Article 6(2) of the GDPR (processing of data in the public interest) and point (f) of Article 6(1) of the GDPR (processing of data based on a legitimate interest), including profiling based on those provisions in the sense of Article 4(4) of the GDPR which we use for credit checks or marketing purposes (objections may be made via any of the contact channels detailed above).

If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is for the purpose of establishment, exercise or defence of legal claims.

11.2 Right to object to processing data for advertising purposes
In some cases, DZ BANK uses your personal data for direct advertising purposes. You have the right to object to your data being processed in this way at any time. This also includes profiling insofar as it relates to such direct advertising.

12 Updates
We modify and/or update this data protection notice, particularly in response to new technological developments, in response to amended statutory and/or official requirements and organisational changes. These modifications and/or updates are posted on our website at www.dzbank.com/dataprotection. Upon request, we provide our current data protection notices as a file (PDF) or on paper, but we recommend you always refer to our website for the most recent updates. If any changes are made, we will always check if we are required to inform you of them proactively and, should this be the case, we will fulfil our obligation to do so. Otherwise, we will only replace files or printouts with the latest versions if this is something that you have requested.

As at: 31/07/2025