1. Who is responsible for processing your data and who can you contact?
The data controller within the Bantleon Group is the entity to which you maintain a business or contractual relationship or that initiated the data processing measure in question through its business activities:
Telephone: +49 (0) 511 288 798-20
The company data protection officer can be reached at:
Data Protection Officer
Telephone: +49 (0) 511 288 798-20
Bantleon Bank AG
Telephone: +41 (0) 41 728 77-30
Bantleon Bank AG has a data protection representative in the EU within the meaning of Art. 27 GDPR as a contact point for supervisory authorities and affected persons on all issues related to EU data protection law:
Data Protection Officer
Telephone: +49 (0) 511 288 798-20
2. Which sources and data do we use?
We process personal data that we receive from you in the course of our business relationship. In addition, we process – insofar as necessary for the provision of our services – personal data which we have obtained and are permitted to process from publicly accessible sources (e.g. debtor directories, commercial and association registers, the press, the Internet) or which has been transmitted to us by other companies of the Bantleon Group or other third parties with authorisation (e.g. to execute orders, to fulfill contracts or on the basis of your consent).
Relevant personal data in the prospect process, in the master data setup as well as in the context of fund share transactions can be:
Name, address/other contact details (telephone, e-mail address), date/place of birth, gender, nationality, language, marital status, business ability, occupational group key/type of partner (dependent/self-employed), credentials (eg ID data), authentication data (e.g. signature sample), tax ID, FATCA status.
3. Why do we process your data (purpose of data processing) and what is the legal basis for this?
We process personal data in accordance with the applicable legal and regulatory provisions. As regards data protection law, these include in particular the EU General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG) and the Swiss Data Protection Act (DSG).
a) Fulfilment of contractual obligations (article 6 (1) b) GDPR)
The processing of personal data takes place for the purpose of providing business and services in the course of the performance of our contracts with you or for carrying out pre-contractual measures that are carried out at your request.
The purposes of the data processing are primarily based on the specific product or service in question and may include, among other, asset management and support, advice and the execution of transactions. The details of the purpose of the data processing can be taken from the respective contract documents.
b) Balancing of interests (article 6 (1) f) GDPR)
Where necessary, we process your data above and beyond the actual performance of our contractual obligations in order to safeguard the legitimate interests pursued by us or by a third party. Examples:
Evaluating and optimising procedures for demand analysis and for approaching clients directly; incl. client segmentation and calculating the likelihood of closure
Asserting legal claims and mounting a defence in the event of litigation
Ensuring the bank’s IT security and IT operations of the companies of the Bantleon Group
Prevention and investigation of crimes
Measures to manage business and further develop services and products
- Group risk management
c) On the basis of your consent (article 6 (1) a) GDPR)
Insofar as you have granted us consent to the processing of personal data for speciﬁc purposes, the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the EU General Data Protection Regulation, i.e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future. Any processing that was carried out prior to the revocation shall not be affected thereby.
d) Compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)
The companies of the Bantleon Group are subject to various legal obligations, i.e., statutory requirements, that means legal requirements, (e.g. financial sector laws, money laundering laws, tax laws) as well as supervisory requirements (e.g. Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Commission de Surveillance du Secteur Financier (CSSF) and/or Eidgenössische Finanzmarktaufsicht (FINMA)). The purposes of processing include, but are not limited to, identity verification, fraud and money laundering prevention, accounting, risk assessment and management, fulfillment of inquiries and requirements of national or foreign regulatory or law enforcement agencies as well as compliance with tax control and reporting requirements.
4. Who receives your data?
Within the Bantleon Group, only companies and agencies will have access to your data who require them for the fulfillment of the contractual and legal obligations or for the fulfillment of their respective tasks.
Service providers and vicarious agents employed by us may also receive data for these purposes if they observe secrecy and our instructions under data protection law. These are mainly companies from the categories listed below. With regard to the transfer of data to recipients outside the Bantleon Group, it must ﬁrst of all be noted that the Bantleon AG (as Management Company) resp. the Bantleon Bank AG (as bank) are under a duty to maintain secrecy about any customer-related facts and evaluations of which they may have knowledge. They may only disclose information about you if they are legally required to do so, if you have given your consent, if we are authorised to provide information and/or if processors commissioned by us guarantee compliance with secrecy and the provisions of the EU General Data Protection Regulation.
Under these conditions, recipients of personal data may be, for example:
Public authorities and institutions (e.g. Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Commission de Surveillance du Secteur Financier (CSSF), Eidgenössische Finanzmarktaufsicht (FINMA), other tax authorities) insofar as a statutory or ofﬁcial obligation exists.
Other credit and ﬁnancial services institutions, comparable institutions and processors to whom we transfer personal data in order to perform the business relationship with you. Speciﬁcally: support/maintenance of EDP/IT applications, archiving, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, collection, customer management, marketing, media technology, reporting, research, risk controlling, telephony, website management, investment services, share register, fund management, auditing services.
5. How long will your data be stored?
We process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for several years and also includes the initiation and execution of a contract.
As far as Bantleon AG is concerned, this is subject to various requirements for storage and documentation, including the German Commercial Code (HGB), the German Tax Code (AO), the Banking Act (KWG), the Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The deadlines for storage and documentation are two to ten years. Finally, the storage period is also based on the statutory limitation periods, which according to §§ 195 ff. of the German Civil Code (BGB) can generally amount to three years, in some cases up to thirty years.
As far as Bantleon Bank AG is concerned, this is subject to various requirements for storage and documentation, including the Swiss Code of Obligations, the Value Added Tax Act, the Federal Law on Direct Federal Tax, the Federal Law on the Harmonization of Direct Taxes of the Cantons and Municipalities, the Federal Law on the Stamp Duties and the Withholding Tax Law. The deadlines for storage and documentation specified there are usually ten years. In addition, there are also limitation periods to be observed, which may be longer than the actual (minimum) storage periods.
6. Is data transferred to a third country or to an international organisation?
Personal data processed by Bantleon AG are transmitted to the parent company (Bantleon Bank AG) in Switzerland for the purpose of data backup. An appropriate level of data protection was confirmed by the EU Commission (appropriateness decision 2000/518/EC).
7. What data protection rights do you have?
Every data subject has a right of access (article 15 GDPR), a right to rectiﬁcation (article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR) and a right to data portability (article 20 GDPR). The right of access and right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR in conjunction with section 19 BDSG).
You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i.e., prior to 25 May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.
8. Are you under any obligation to provide data?
Within the scope of our business relationship, you must only provide personal data which is necessary for the initiation, execution and termination of a business relationship or which we are legally obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.
In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents in accordance with the money laundering law and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into your requested business relationship.
9. To what extent is automated decision-making used?
As a rule, we do not make decisions based on automated processing as deﬁned in article 22 GDPR to establish and implement the business relationship. If we use these procedures in individual cases, we will inform you of this separately, provided that this is prescribed by law.
10. Is profiling (scoring) carried out?
In some cases, we process your data automatically with the aim of evaluating certain personal aspects (profiling as defined in article 4 (4) GDPR). For instance, we use proﬁling in the following cases:
- Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism and property-related offenses. Data evaluations are also carried out (in payment transactions, among other things) in this context. These measures also serve to protect you.
- We can also evaluate your data to determine your potential interest in our products and services. This evaluation is based on statistical methods using current customer data and those from the past. We use the results to be able to address you in a more needs-oriented and targeted way.
11. What rights of objection do you have?
a) Ad hoc right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this also includes any proﬁling based on those provisions within the meaning of article 4 (4) GDPR.
If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.
b) Right to object to the processing of data for marketing purposes
In certain cases, we may process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes proﬁling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
There are no formal requirements for lodging an objection. Our contact details can be found in section 1.