This data protection notice aims to clarify what data is collected when recording calls on the telephone, the purposes for which we process this data and what rights you have as a data subject with regard to this data processing.

1  Who is responsible for data processing and who can you contact?

Controller:
DZ BANK AG
Deutsche
Zentral-Genossenschaftsbank, Frankfurt am Main
(DZ BANK)
 
Platz der Republik
60325 Frankfurt am Main
telephone: +49 69 7447-01
fax: +49 69 7447-1685
E-Mail: mail@dzbank.de
 
You can contact our data protection officer at the same address above-named (DZ BANK AG)
 
or via
telephone: +49 69 7447-94101
fax: +49 69 427267-0539
e-mail: datenschutz@dzbank.de

2  What sources and data does DZ BANK use?

When recording a call, DZ BANK processes technical data generated from the telephone system or which has been provided by the telephone company in addition to the speech content itself. This includes the phone numbers involved in the call, the start of the call and the duration of the call. In the case of incoming calls, our staff also normally record the name given by the caller and the customer’s concern and if necessary, a voicemail is saved.

3  What does DZ BANK process your data for (purpose of processing) and on what legal grounds

3.1  Based on statutory obligations (Art. 6 para. 1 lit. c GDPR )

Depending on national legislation, recordings must be made of certain telephone calls (such as those in connection with the initiation of a contract, conclusion of a capital markets business transaction). The recordings are made to preserve evidence and are used under civil law to defend against claims for damages by third parties against the Bank and to prove that no false information was provided.

For the above-mentioned purposes we store, in addition to the speech content itself, the caller information (in particular time, call number) belonging to a recording. This information is used for the systematic filing and allocation or retrieval of call recordings to a business transaction.

The recording and storage is done to meet statutory obligations.

Whether a telephone call must be recorded under national and/or different statutory rules depends on the country from which you are calling one of DZ BANK's offices o branches. When calling our capital markets divisions, you should normally assume that, for legal reasons, calls are being recorded on a regular basis.

In individual cases, these call recordings may be intercepted as part of internal or external legal audits.

3.2  In individual cases, we record calls with your consent in order to protect vital interests (Art. 6 para. 1 lit. d GDPR)

In contingencies and threatening situations, a recording can also be made on a case-by-case basis to make the incident more verifiable and comprehensible, without us having to obtain consent due to the special situation. The legal basis results from our duty to avert life-threatening situations and to ensure the protection of our employees, or alternatively from a legitimate interest from Art. 6 para. 1 lit. f GDPR.

3.3  Based on legitimate interests of DZ BANK (Art. 6 para. 1 lit. f GDPR)

If you contact us about retail securities transactions (pure provision of
information), we record your request manually in our system during the call and save this call note at the end of the call. A recording of the call does not
take place.

This is also a processing of personal data, which we carry out in order to be able to process your request more systematically or to not have to repeatedly ask for necessary information in follow-up calls.

If you cannot reach us by telephone, you have the option of leaving a call-back request or a message for us by voice mail. In the case of a callback request, your telephone number will be recorded in the system in order to comply with the callback request. In the case of a voicemail, your message is also recorded with the name you left and your concerns so that we can respond to your questions in a targeted manner when we call you back. After completion of the process and clarification of the request, the data is deleted from our systems.

4  Who receives your data?

Within the Bank, those offices that need your data for processing purposes have access to it. If recordings are made for legal purposes, government departments and the appropriate regulatory offices in particular can access them in the course of a search request, but only insofar as their respective national legislation allows.

In the event of a legal dispute, we hand the recordings over to lawyers and courts insofar as the law compels us to do so or we have a position in law to represent. We also disclose data from emergencies and threat situations, if this is required by the investigating authorities.

For the operation of our telephone systems, we engage service providers who work strictly in accordance with our instructions, we define a normal level of data protection for a bank which they must meet (contract processors). These service providers process your data only for the purposes we specify (in this case, operating a telephone system, storing data).

5  For how long is your data stored?

The storage period for the data depends on which country you are calling from and its respective national legislation.

German law requires calls to be recorded if they are made in connection with securities products. Data from these calls must be stored for up to 7 or 13 years under § 83 para. 8 German Securities Trading Act (WpHG) and Section 147 of the German Fiscal Code (AO). Insofar as there is no statutory storage period for recordings, the length of time for which they are stored is guided by statutory limitation periods (generally three years in Germany). Data from emergencies and threat situations is stored until it is handed over to the investigating authorities, or for the duration of the relevant limitation periods.

Call notes recorded in connection with retail securities transactions are deleted 90 days after the matter has been resolved.

6  What rights do you have as a data subject?

Every data subject has a right of access in accordance with Article 15 of the GDPR, a right to rectification in accordance with Article 16 of the GDPR, a right to erasure (“right to be forgotten”) in accordance with Article 17 of the GDPR, a right to restriction of processing (blocking) in accordance with Article 18 of the GDPR, a right to data portability in accordance with Article 20 of the GDPR, a right to object in accordance with Article 21 of the GDPR (specific information provided later on in this data protection notice). You also have the right to lodge a complaint with a supervisory data protection authority in accordance with Article 77 of the GDPR.

If you give DZ BANK your consent to process your personal data for specific purposes, you can withdraw your consent for the future at any time. This also applies to any consent given to us by you before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of consent does not affect the lawfulness of processing performed by DZ BANK based on consent before its withdrawal.

7  Are you obliged to provide your data?

For all calls that we record due to a statutory obligation, this form of data processing can only be avoided by choosing alternative means of contact (e.g. post, fax, e-mail, etc.).

For all calls that we record out of self-interest, we ask for your consent in advance. We will comply with your wish not to record such calls.

However, in order to be able to deal with your concerns more systematically or to avoid having to repeatedly ask for necessary information in follow-up calls, we take the liberty of making a note of the call as described in section 3.3.

8  Information about your right to object according to Art. 21 GDPR

8.1  Case-specific right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 (1) (f) of the GDPR (processing of data on the basis of DZ BANK's legitimate interests).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

8.2  Form of the objection

The objection can be made without any formal requirements to the above contact details.

9  Conclusion / note

We modify and/or update this data protection notice, particularly in response to new technological developments, in response to amended statutory and/or regulatory requirements and organisational changes. These modifications and/or updates are published on our website at www.dzbank.com/dataprotection. We provide our current data protection notes as a file (PDF) or on paper, but we recommend that you always refer to our website for the most recent updates. If any changes are made, we will always check if we are required to inform you of them proactively and, should this be the case, we will fulfil our obligation to do so. Otherwise, we will only replace files or printouts with the latest versions if this is something that you have requested.