Entschädigungseinrichtung deutscher Banken GmbH (Compensation Scheme of German Private Banks)
Telephone: +49 30 5900 1196 0
Any affected person (“data subject”) can address enquiries and concerns relating to data protection directly to our data protection officer at any time.
Entschädigungseinrichtung deutscher Banken GmbH
When the website https://www.edb-banken.de is called up, data are automatically recorded about every server access (so-called “server log files”).
These data include the name of the retrieved web page, file, date and time of retrieval, amount of data transferred in bytes, message about successful retrieval, browser type and version, operating system used, referrer URL (the page previously visited), IP address and the requesting provider. We use the log file solely for statistical analysis for the purpose of operating, securing and optimising our website; we do not match it to the user or conduct any kind of profiling. We nevertheless reserve the right to subsequently check the log file if we have legitimate grounds for suspecting unlawful use.
Temporary system storage of the IP address is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address has to remain stored for the duration of the session. The legal basis for temporary storage of the data and log files is Article 6(1)(f) of the European General Data Protection Regulation (GDPR).
The data are erased as soon as they are no longer needed for the purpose of their collection. Where data are recorded for the purpose of making our website available, this is the case when the session ends. Where data are stored in log files, this is the case after 14 days at the latest. The data may also be stored for longer. In this case, the IP address of the data subject will be erased or scrambled so that it can no longer be matched to the user.
Recording data for the purpose of making the website available and storing data in log files are essential for operating the website. The user consequently has no right to object to the practice.
You may object to the collection of your data by Google Analytics and the processing of these data by Google in the future by installing a deactivation add-on for your browser (http://tools.google.com/dlpage/gaoptout?hl=en-GB).
We use Google Analytics to analyse and continuously improve our website. The statistics we obtain enable us to improve our website and make it more interesting for you, the user. In the exceptional cases in which personal data are transferred to the US, Google recognises the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). The legal basis for using Google Analytics is Article 6(1)(f) of the GDPR.
The data we transmit are automatically erased after 14 months. Data whose storage period has expired are automatically erased once a month.
We are pleased whenever our readers recommend and discuss content of our website on Twitter, Facebook and LinkedIn. For this purpose, we use social media buttons (also social media plugins), namely the buttons developed by the c’t “Shariff” project.
Shariff ensures that social networks can only retrieve user data once users click on the relevant button. Shariff replaces social networks’ customary “share” buttons and protects your surfing behaviour from prying eyes. A single click on the button is enough to share information with others. You don’t have to do anything else – the webmaster has already taken care of everything. Customary social media buttons transfer your data every time you visit a web page and give the social networks full details of your surfing behaviour (user tracking). You don’t have be logged in or a network member for this to happen. A Shariff button, on the other hand, only establishes direct contact between a social network and a visitor when the latter actively clicks on the share button.
Only when you click on the button is the provider of the social network informed that you have visited our website. In addition, data such as IP address, request date and time and request content are transmitted. Where Facebook is involved, the provider says that in Germany the IP address is anonymised immediately after being received. Activating the plugin therefore means that your personal data are transferred to the provider and stored there (where US providers are concerned, in the US). As the provider collects data via cookies, in particular, we recommend that you use your browser’s security settings to delete all cookies before clicking on the button.
We have no influence on the data collected or data processing operations, nor do we know the full extent of data collection, the purposes of the data processing or the storage periods. Likewise, we have no information on erasure of the data collected by the social network provider involved.
The provider stores the data about you in the form of a user profile and uses it for advertising, market research and/or customised website design purposes. It primarily evaluates data (also of non-logged-in users) to deliver personalised ads and to inform other users of the social network about your activity on our website. You have the right to object to the creation of such a user profile; to exercise this right, you must contact the provider in question. Through plugins, we give you the opportunity to interact with social networks and other users so that we can improve our services and make them more interesting for you. The legal basis for using plugins is Article 6(1)(f) of the GDPR.
Data are transferred irrespective of whether you have an account with the provider and are logged in there. If you are logged in with the plugin provider, the data that we collect about you are matched directly to your account with the provider. If you use the activated button and, for example, link the page, the provider will store this information in your user account as well and share it with your contacts. We recommend that after using a social network you always log out, particularly before activating the button, as this will enable you to avoid data being matched to your profile with the plugin provider.
For further information on the purpose and scope of data collection and processing of data by the plugin provider, please see the privacy policies of the providers listed below. These also contain further details of your rights and setting options to protect your privacy.
Addresses of the social network providers and URLs with their privacy policies:
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; further information on data collection: https://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook recognises the EU-US Privacy-Shield: https://www.privacyshield.gov/EU-US-Framework.
Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/en/privacy. Twitter recognises the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn recognises the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
Further information on Shariff can be found at https://www.heise.de.
Our website contains remarketing tags provided by Facebook (1601 South California Avenue, Palo Alto, CA 94304, USA). When visiting Facebook or other websites also using such tags, users of this website can then be shown targeted advertisements (Facebook ads). Our aim is to show you ads that are of interest to you in order to make our website more attractive to you. The legal basis for processing your data is Article 6(1)(f) of the GDPR.
According to Facebook, the data we transmit fall into five categories: so-called HTTP headers, pixel-specific data, button click data, form field names and optional data. These are explained at https://www.facebook.com/business/gdpr. According to Facebook, the data are automatically erased or anonymised after 90 days. Please see https://www.facebook.com/help/206635839404055?ref=dp. Data whose storage period has expired are automatically erased once a month.
For further information on data processing by Facebook, please go to https://www.facebook.com/about/privacy.
Our online content includes services of third parties – Vimeo, Twitter and SlideShare. This content can be viewed directly on our website. When you visit the website, these providers will be informed that you have viewed the corresponding sub-page of our website. Further data will also be transmitted irrespective of whether you have a user account which you are logged into or whether you have no user account. If you don’t want these data to be matched to your profile, you need to log out before activating the relevant button. You have the right to object to the creation of these user profiles but to exercise this right, you need to contact the relevant provider. We embed these services to show you content which will be of interest to you in order to make our website more attractive to you. The legal basis for processing your data is Article 6(1)(f) of the GDPR.
You can contact us using the email address published on our website. The personal data of users transmitted with these emails are stored in our email archive. No data are passed on to third parties. The data are used only for the purpose of conducting our conversation.
The legal basis for processing data transmitted by email is Article 6(1)(f) of the GDPR. When we are contacted by email, we have a legitimate interest in processing the personal data therein in order to deal with the reason for the contact. Article 6(1)(b) of the GDPR provides a further basis for processing the data. Processing is necessary for the purpose of handling an enquiry which constitutes a quasi-contractual relationship. The consent criterion in accordance with Article 6(1)(a) of the GDPR also provides justification for storing these data while the task is being handled.
On our website we offer users the opportunity to receive news by email (newsletters/alerts). Anyone wishing to make use of this service must provide a valid email address and confirm that the owner of the email address provided agrees to receive the newsletter. No further data are collected. This information is only used for the purpose of sending the newsletter.
The email addresses and other above data of the recipients of our newsletters are stored on Mailjet’s servers. Mailjet uses this information to send and evaluate newsletters on our behalf. Mailjet will not use the data of our newsletter recipients to write to them directly and will not pass on the data to third parties.
Personal data will only be transmitted to third parties if
- processing is necessary under Article 6(1)(e) of the GDPR for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- the data subject has given express consent under Article 6(1)(a) of the GDPR,
- transmission is necessary under Article 6(1)(f) of the GDPR for the purpose of asserting, exercising or defending legitimate interests and there is no reason to assume that such interests are overridden by the interests or fundamental rights and freedoms of the data subject,
- transmission is necessary under Article 6(1)(c) of the GDPR to comply with a legal obligation and/or
- this is necessary under Article 6(1)(b) of the GDPR to fulfil an contractual relationship with the data subject.
In other cases, personal data will not be disclosed to third parties.
If your personal data are processed in the course of your visiting our website, you have the following rights in your capacity as a “data subject” within the meaning of the GDPR.
You can ask us whether we are processing your personal data. This right to information does not apply if provision of the requested information would violate the confidentiality obligation under section 21 of the German Deposit Guarantee Act (Einlagensicherungsgesetz [EinSiG]) or if the information must remain confidential for other reasons, in particular due to an overriding legitimate interest of a third party. An obligation to provide you with the information may nevertheless exist if your interests outweigh the need for confidentiality because there would otherwise be a risk of damage or injury. The right to information also does not apply if the data are only being stored because statutory retention periods preclude their erasure or if they solely serve the purpose of data backup or data protection control and the provision of information would require disproportionate time and effort and appropriate technical and organisational measures are in place to exclude processing for other purposes. Should the right to information not be excluded and if your personal data are processed by us, you can ask us to provide the following information:
- purpose of the processing,
- categories of your personal data processed,
- recipients or categories of recipients, especially in third countries, to whom your personal data have been disclosed,
- if feasible, the planned length of time that your personal data will be stored or, if this is not feasible, the criteria determining storage periods,
- the existence of a right to rectification or erasure or restriction of the processing of your personal data or of a right to object to this processing,
- the existence of a right to lodge a complaint with the responsible data protection authority,
- if the personal data were not collected from you in your capacity as the data subject, available information about the source of the data.
If you ascertain that the personal data we have about you are incorrect, you can require us to correct these data without delay. If your personal data are incomplete, you can require us to add the missing data.
You have a “right to be forgotten” unless processing is necessary for the exercise of the freedom of expression or the right to information or for compliance with a legal obligation or for the performance of a task carried out in the public interest and provided that one of the following reasons applies:
- the personal data are no longer necessary for the purposes for which they were processed;
- the sole justification for processing was your consent, which you have now withdrawn;
- you have objected to the processing of your personal data which we have made public;
- you have objected to the processing of your personal data which we have not made public and there are no overriding legitimate grounds for the processing;
- your personal data have been unlawfully processed;
- the erasure of your personal data is necessary in order to comply with a legal obligation to which we are subject.
There is no right to erasure if the data processing is lawful and non-automated and, owing to the special type of storage, erasure is not possible or possible only with disproportionate time and effort and your interest in the erasure is slight. In this case, processing will be restricted instead of the data being erased.
You can require us to restrict the processing of your data if one of the following reasons applies:
- You contest the accuracy of the personal data. The restriction will then apply for a period allowing us to verify the accuracy of the data.
- The processing is unlawful and you request that use of the data be restricted instead of the data being erased.
- We no longer need your personal data for the purpose of the processing, but you require the data for the purpose of establishing, exercising or defending legal claims.
- You have objected to processing pursuant to Article 21(1) of the GDPR. A restriction of processing can be requested pending verification of whether our legitimate reasons override yours.
Restriction of processing means that personal data will only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of major public interest. Before we lift the restriction, we have a duty to inform you of this.
You have a right to data portability provided that processing is based on your consent (Article 6(1)(a) or Article 9(2)(a) of the GDPR) or on a contract to which you are party and that the processing is carried out by automated means. Should this be the case, the right to data portability includes the following rights provided that this does not affect the rights and freedoms of other persons: you have the right to obtain from us the personal data you provided us with in a structured, commonly used and machine-readable format. You have the right to transmit these data to another controller without hindrance from us. Where technically feasible, you can require us to transfer your personal data directly to another controller.
Information about your right to object under Article 21 of the GDPR
Individual right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(f) of the GDPR (data processing on the basis of striking a balance between legitimate interests). This also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the purpose of establishing, exercising or defending legal claims.
How to object
There is no special form to fill in. Just send your objection to the following address, quoting “objection” as the subject, and including your name, address and date of birth:
Entschädigungseinrichtung deutscher Banken GmbH
Data Protection Officer
Telephone: +49 30 5900 1196 0
You may at any time withdraw your consent with future effect. This can be done by phone, by email or by surface mail to our postal address; there is no special form to fill in. The withdrawal of your consent will not affect the legality of data processing carried out on the basis of your consent until the receipt of your withdrawal of consent. Once your withdrawal of consent is received, data processing based solely on your consent will no longer take place.
If you believe that the processing of your personal data is unlawful, you can lodge a complaint with a data protection authority responsible for your place of residence, your place of work or the place where the alleged infringement took place.