Checking the authorisation requirement and tracing unauthorised transactions Information on data processing

The Deutsche Bundesbank processes personal data to the extent necessary to fulfil its legal obligations. These data include data that the Deutsche Bundesbank has collected about you. With a view to providing details on data processing, notifying you of your rights and complying with its requirement to provide information pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), the Deutsche Bundesbank hereby informs you of the following:

1. Contact address

Deutsche Bundesbank
Wilhelm-Epstein-Straße 14
60431 Frankfurt am Main
Postfach 10 06 02
60006 Frankfurt am Main

Telefon: +49 69 9566-0
Fax: +4969 9566-3077

2. Purpose of processing

Application of the administrative procedure to check the authorisation requirement and to trace unauthorised transactions.

3. Legal basis for data collection

Sections 32, 33, 37 and 44c of the German Banking Act (Kreditwesengesetz); Sections 8 and 10 to 13 of the Payment Services Oversight Act (Zahlungsdiensteaufsichtsgesetz); Act on Administrative Procedures (Verwaltungsverfahrensgesetz).

4. Categories of personal data processed

The categories of personal data processed are as follows:
identifying details/address and contact details (e.g. work contact details), personal data relating to professional or business activities

5. Intention to transmit personal data to recipients in a third country or to an international organisation

Personal data will only be transmitted to a recipient in a third country (countries outside the European Union and the European Economic Area) or to an international organisation to the extent necessary to fulfil legal obligations.

6. Data recipients

Your data are processed within the Deutsche Bundesbank by the responsible members of staff. The data are transmitted to the Federal Financial Supervisory Authority (BaFin). In turn, BaFin transmits the data to authorities and courts involved in the administrative and/or criminal proceedings as well as to those persons BaFin engages to investigate the matter or implement its measures or who are legally entitled to access the information from BaFin.

7. Duration of data retention

Requests for authorisation requirement pursuant to applicable supervisory laws – 10 years; in all other cases – 30 years; following conclusion of the administrative procedure in both cases.

8. Your rights as the data subject

You, as the data subject, have the right of access (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to erasure (Article 17 of the GDPR), the right to restriction of processing (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object (Article 21 of the GDPR). You also have the right to lodge a complaint with the competent supervisory authority, the Federal Commissioner for Data Protection and Freedom of Information.

9. Existence of automated decision-making (including profiling)

No automated decision-making takes place.

10. Source of personal data

The data source is not generally accessible.

11. Basis for the provision of your data and consequences of failure to provide personal data
(only applies to direct data collection, Article 13 of the GDPR)

The administrative procedure cannot be carried out without processing personal data.