Privacy Notice in Accordance with the EU General Data Protection Regulation
Last updated: May 2018
The purpose of this Privacy Notice is to inform you about the personal data that we may collect about you, how we use it and what legal rights you have regarding your personal data.
1. Who is legally responsible for handling your personal data and who can you contact about this?
In data protection law terminology, this is the “controller”, namely:
Deutsche Bank AG (“DB”)
60325 Frankfurt am Main
Phone: +49 (0)69 910-10000
Fax: +49 (0)69 910-10001
Email address: email@example.com
Our internal data protection officer may be contacted at:
Deutsche Bank AG
Data Protection Officer
60325 Frankfurt am Main
Phone: (069) 910-10000
Email address: firstname.lastname@example.org
2. What personal data do we collect about you and where do we get it from?
We process personal data that we receive from you in the context of running our art program (e.g. exhibitions, events, and discussion forums). We may also process personal data that we obtain from publicly available sources (e.g. information published at events or in the media) but only insofar as it is appropriate and lawful to do so. Relevant personal data may include title, first name, surname, company, position, address, and contact details (such as your phone number, email address and fax number).
3. What do we use your personal data for and on what legal basis is this allowed?
We process the personal data described above in compliance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The legal bases we rely on to process your personal data are:
a) For the purpose of our legitimate interests (article 6 (1)(f) GDPR)
As a bank we process your personal data to fulfil our legitimate interests, namely to promote art, culture, and sport.
b) On the basis of your consent (article 6 (1)(a) GDPR)
Where you have given us consent to process your personal data for speciﬁc purposes (e.g., so that we can provide you with our newsletter, information, invitations to events or so we can transfer your data within the Deutsche Bank Group), the lawfulness of such processing is based on your consent. You may withdraw consent at any time after you have given it, including where consent was given prior to the entry into force of the GDPR. This would not affect the lawfulness of DB’s prior use of that information.
4. Who do we disclose your personal data to?
Within DB, only staff who need access to your data for the purposes described above will have access to it. Similarly, DB’s agents and service providers will be given access to your data where necessary for such purposes, e.g. event management companies. We have written contracts in place with such third parties requiring them to comply with our instructions and with data protection obligations.
5. How long will your personal data be stored?
We will retain your personal data for as long as necessary in light of the purposes for which the data is used. Accordingly, we will not retain your personal data if you withdraw your consent as outlined in section 3(b) or if we no longer have a legitimate need for it.
6. What rights do you have concerning your personal data?
You may have various legal rights in relation to your personal data, including the right to ask for:
You are also entitled to modify or withdraw your consent for the collection, use and disclosure of your personal data (see section 3(b) above), and to lodge a complaint with a data protection regulator about how we handle your personal data (article 77, GDPR, and section 19, BDSG).
- a copy of your personal data (article 15, GDPR, subject to the limitations in sections 34 and 35, BDSG);
- any inaccuracies or incompleteness in your personal data to be corrected (article 16 GDPR);
- deletion of your personal data (article 17, GDPR, subject to the limitations in sections 34 and 35, BDSG);
- DB to restrict the ways in which it processes your data (article 18, GDPR);
- for your personal data to be transferred to you or another company in a commonly used electronic format (known as the right to data portability: article 20, GDPR);
- DB to stop processing your data in a particular way (article 21, GDPR - see “right to object” below).
Information on your right to object under article 21 of the GDPR
You can also object to the processing of your personal data where we do this for the purposes of our legitimate interests (article 18, GDPR). If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your rights and interests or else we need to process the information in connection with a legal claim. There are no formal requirements for lodging an objection; where possible it should be made by telephone to: +49 (069) 910-10000.