Status 05.12.2023
Structure
Part I: General part
Part II: Additional information for the use of the website
Part III: Data protection information for online meetings, conference calls and webinars via “TeamViewer Meeting”
Part I: General part
Thank you for your interest in our bank, its products and services. The protection of your privacy and your personal data is important to us.
With this data protection notice, we would like to inform you about the type, scope and purpose of the collection, use and processing of the information and data collected by us and ensure the highest possible level of transparency and security.
Our data protection principles
We handle the data transferred to us confidentially and responsibly and comply with the statutory provisions on data protection, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Which data is processed in detail and how it is used depends largely on which products and services you use from our bank.
1. Who is responsible for data processing and who can I contact?
Responsible body: | Data Protection Officer: Christian Kistler |
Middle East Bank, Munich Branch | Middle East Bank, Munich Branch |
Landsberger Str. 406 | Landsberger Str. 406 |
E-mail: info@middle-east-bank.de | E-mail: datenschutz@middle-east-bank.de |
2. Which sources do we use?
The Bank uses personal data that we receive from you as part of our business initiation and business relationship. In addition, we process – to the extent necessary for the provision of our services – personal data that we have received from third parties (e.g. credit agencies such as SCHUFA or CRIF) in a permissible manner (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consent given by you). On the other hand, we process personal data that we have legitimately obtained from publicly accessible sources (e.g. debtor directories, land registers, commercial and association registers, press, media) and are authorised to use.
Relevant personal data are:
- personal data (name, address and other contact details, date and place of birth and nationality),
- Identification data (e.g. ID card data) and authentication data (e.g. specimen signature). In addition, depending on the banking transactions, financial services, insurance and/or property transactions provided or brokered by us, this may also include the following data
- Order data (e.g. payment order, securities order),
- Data from the fulfilment of our contractual obligations (e.g. turnover data in payment transactions, credit lines,
- Product data (e.g. deposit, credit and custody business),
- Information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets),
- Advertising and sales data, documentation data, register data,
- Data about your use of the telemedia offered by us (e.g. time of access to our websites, apps or newsletters, pages clicked on by us or entries) and
- other data comparable with the categories mentioned.
- In addition, during the business initiation and relationship, in particular through personal, written or telephone contacts initiated by you or by our bank, further personal data may be processed, e.g. information about the contact channel, date of contact, reason for and result of the contact, (electronic) copies of correspondence and information about involvement in direct marketing measures.
3. What does the bank process your data for (purpose of processing) and on what legal basis?
Middle East Bank processes personal data in accordance with the provisions of the GDPR and the German Federal Data Protection Act (BDSG).
3.1 For the fulfilment of contractual obligations (Art. 6 para. 1 b GDPR)
The processing of personal data is carried out for the purpose of providing and brokering the banking transactions, financial services, insurance and real estate transactions you carry out with us, in particular for the execution of our contracts or pre-contractual measures with you and the execution of your orders, as well as all activities necessary for the operation and administration of a credit and financial services institution.
The purposes of data processing depend primarily on the specific product (e.g. account, loan, building society savings, securities, deposits, brokerage, online banking) and may include needs analyses, advice and the execution of transactions.
Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.
3.2 As part of the balancing of interests (Article 6 (1f) GDPR)
Where necessary, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties, for example in the following cases:
- Consultation of and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness or default risks and the need for a seizure protection account or basic account,
- Examination and optimisation of procedures for needs analysis and direct customer contact,
- advertising or market and opinion research, unless you have objected to the use of your data,
- Assertion of legal claims and defence in legal disputes,
ensuring the bank’s IT security and IT operations, - Prevention and investigation of criminal offences,
- Video surveillance is used to collect evidence in the event of criminal offences or to prove transactions and deposits, e.g. at ATMs. They therefore serve to protect customers and employees as well as to exercise domiciliary rights,
- Measures for building and plant security (e.g. video surveillance, access controls),
- Measures to safeguard domiciliary rights and
- Measures for business management and further development of services and products.
3.3 On the basis of your consent (Article 6 (1a) GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. forwarding data within the association/group, analysing payment transaction data for marketing purposes), the lawfulness of this processing is based on your consent. Any consent given can be revoked at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.
3.4 Due to legal requirements (Article 6 (1c) GDPR) or in the public interest (Article 6 (1e) GDPR)
As a bank, we are also subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) and banking supervisory requirements (e.g. European Central Bank, European Banking Authority, Deutsche Bundesbank and German Federal Financial Supervisory Authority). The purposes of processing include credit checks, identity and age checks, fraud and money laundering prevention, the fulfilment of control and reporting obligations under tax law and the assessment and management of risks.
4. Who receives my data?
Within the bank, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Processors engaged by us (Article 28 GDPR) may also receive data for these purposes. These are companies in the categories of credit services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.
With regard to the transfer of data to recipients outside the bank, it should first be noted that we are obliged under the General Terms and Conditions agreed between you and us to maintain confidentiality about all customer-related facts and assessments of which we become aware (banking secrecy). We may only pass on information about you if this is required by law, if you have given your consent or if we are authorised to provide banking information. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in the event of a legal or official obligation.
- Other credit and financial services institutions or comparable organisations to which we transfer personal data in order to carry out the business relationship with you (depending on the contract: e.g. correspondent banks, custodian banks, stock exchanges, credit agencies).
Other data recipients may be those bodies for which you have given us your consent to transfer data or for which you have released us from banking secrecy in accordance with the agreement or consent.
5. How long will my data be stored?
Where necessary, we process and store your personal data for the duration of our business relationship, which also includes the initiation and fulfilment of a contract. It should be noted that our business relationship is a continuing obligation that is intended to last for years. In addition, we are subject to various retention and documentation obligations arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG), among others. The retention and documentation periods specified there are two to ten years. Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.
If there is no legal requirement to retain personal data and we have not received a declaration of consent from the data subject in accordance with Article 6 (1) (A) GDPR, we delete personal data immediately after the basis for retention no longer applies. We take into account an additional retention period of six months on the basis of legitimate interest in accordance with Article 6(1)(f) in order to be able to properly process any requests from the data subjects (e.g. withdrawal of the reason for deletion) regarding the personal data intended for deletion.
6. Is data transferred to a third country or to an international organisation?
Data is only transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the execution of your orders (e.g. payment and securities orders), is required by law or if you have given us your consent. We will inform you of the details separately if required by law.
7. What data protection rights do I have?
Every data subject has the right to:
- to information (Article 15 GDPR),
- for rectification Article 16 GDPR),
- to erasure “right to be forgotten” (Article 17 GDPR),
- restriction of processing (Article 18 GDPR) and
- to data portability (Article 20 GDPR).
The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right to cancellation. Please contact our data protection officer for this purpose:
Middle East Bank, Munich Branch
Data Protection Officer
Landsberger Str. 406
81241 Munich
E-mail: datenschutz@middle-east-bank.de
In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
8. Is there an obligation to provide data?
As part of our business relationship, you only need to provide the personal data that is required for the establishment, implementation and termination of a business relationship or that we are legally obliged to collect.
Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to fulfil an existing contract and may have to terminate it.
In particular, we are obliged under money laundering regulations to identify you before establishing the business relationship, for example by means of your identity card, and to collect your name, place of birth, date of birth, nationality and residential address. To enable us to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes that occur during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship you have requested.
9. To what extent is there automated decision-making in individual cases?
In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and conduct the business relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.
10. To what extent will my data be used for profiling (scoring)?
We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases, for example:
- Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and criminal offences that endanger assets. This also involves analysing data (e.g. in payment transactions). These measures also serve to protect you, as we use analysis tools to provide you with targeted information and advice on products. These enable needs-based communication and advertising, including market and opinion research.
- We use scoring to assess your creditworthiness. This involves using a mathematically and statistically recognised and proven procedure to calculate the probability that a customer will meet their payment obligations in accordance with the contract.
This calculation takes into account income, expenditure, existing liabilities, occupation, employer, length of employment, experience from previous business relationships, contractual repayment of previous loans and information from credit agencies. The calculated score values help us to make decisions when concluding products and are included in ongoing risk management.
A (determined) poorer score value can, for example, lead to the rejection of a loan application or restrictions on the amount of financing and/or the method of payment.
11. Information about your right to object according to Art. 21 (GDPR)
a) Right to object on a case-by-case basis
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(f) of the GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR, which the Bank uses to assess creditworthiness or for advertising purposes.
If you object, Middle East Bank will no longer process your personal data unless Middle East Bank can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
b) Right to object to the processing of data for direct marketing purposes
In individual cases, the Bank processes your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, the Bank will no longer process your personal data for these purposes.
The objection can be made informally and should preferably be addressed to:
Middle East Bank, Munich Branch
Data Protection Officer
Landsberger Str. 406
81241 Munich
Part II: Additional information for the use of the website
12. Hosting
We host the content of our website with the following provider:
DomainFactory
The provider is DomainFactory GmbH, c/o WeWork, Neuturmstraße 5, 80331 Munich (hereinafter referred to as DomainFactory). When you visit our website, DomainFactory records various log files including your IP addresses.
Details can be found in DomainFactory’s privacy policy: https://www.df.eu/de/datenschutz/
The use of DomainFactory is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. for device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Order processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which guarantees that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
13. Area restriction of this privacy policy for visiting our website
Our privacy policy applies exclusively to our own content that we store on our servers. Any links to third-party websites in our offers are expressly not included.
14. Collection of personal data when using the functions of our website
When you access our website, a connection is established with our server. The access paths of the pages, the time the connection was established and your current IP address are recorded and stored in order to prevent malfunctions and problems. During your visit to our website, data (“cookies”) may be stored on your computer to make it easier for you to use our website. We do not use this data to identify you or to contact you.
We do not collect any personal data when you use the website for information purposes only, with the exception of the data that your browser transmits to enable you to visit the website.
These are:
- Date and time of access,
- Computer name or address from which access is made,
- Name and size of the file to be queried,
- Name of the web browser used and its version,
- the operating system used and
- URL of the previously visited website (referrer address).
This data is not merged with other data sources.
Data relating to the end device is stored by us, among other things, to compile usage statistics or for the purposes of identifying and tracking unauthorised attempts to access our web servers. We only create anonymised profiles about the use of our websites and only to improve user guidance and optimise our offers and services.
This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – the server log files must be recorded for this purpose.
15. Technologies used
Parts of this website may use technologies that are widely used on the Internet, such as JavaScript, Java, Flash or ActiveX, in order to provide you with the information you require more conveniently. Under no circumstances will we use these technologies to spy out personal data or manipulate data on your computer.
16. SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
17. Cookies
Only technically necessary cookies are used on the Middle East Bank website. No cookies are used that process personal data.
18. Contact form
If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions – in particular retention periods – remain unaffected.
19. Enquiry by e-mail, telephone or fax
If you contact us by e-mail, telephone or fax, your enquiry including all personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
20. Handling of applicant data
We offer you the opportunity to apply to us (e.g. by e-mail, post or online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.
a) Scope and purpose of data collection
If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and – if you have given your consent – Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.
b) Retention period of the data
If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.
Data may also be stored for longer if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.
21. Transmission of personal data to CRIF GmbH
We transmit personal data collected within the scope of this contractual relationship regarding the application, execution and termination of this business relationship to CRIF GmbH. Leopoldstraße 244, 80807 Munich.
The legal basis for these transfers is Article 6(1)(b) and Article 6(1)(f) of the GDPR.
Transfers on the basis of Article 6(l)(f) GDPR may only take place insofar as this is necessary to safeguard the legitimate interests of our company or third parties and does not jeopardise the interests or fundamental rights and freedoms of third parties.
fundamental freedoms of the data subject that require the protection of personal data prevail. The exchange of data with CRIF also serves to fulfil legal obligations to carry out creditworthiness checks on customers (Sections 505a and 506 of the German Civil Code).
CRIF processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries (provided that an adequacy decision of the European Commission exists for these) with information, among other things, to assess the creditworthiness of natural persons. Further information on CRIF’s activities can be found in the CRIF information sheet or online at www.crif.de/de/datenschutz.
Part III: Data protection information for online meetings, conference calls and webinars via “TeamViewer”
22. Purposes of the processing activity
Through your participation in a web or video conference (online event) with the TeamViewer Meeting system, the provider (TeamViewer Germany GmbH Bahnhofsplatz 2, 73033 Göppingen) processes your personal data with your consent in order to organise the internet-based event. The applicable data protection information on processing by the provider can be found here: https://www.teamviewer.com/de/datenschutzerklaerung/?t=1634912148821#meeting- recipient The online event is generally not recorded. In exceptional cases, you will be informed before the recording begins and can object to this.
23. Legal basis
The processing is necessary for the fulfilment of a contract or in the context of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here too, we have an interest in the effective organisation of “online meetings” and there are no overriding interests or fundamental rights and freedoms of the data subject that require protection.
24. Categories of recipients
As a participant, we inform you that your image/sound will be transmitted via camera/microphone during the web conferences and that this will be recognisable/visible to all participants during the event. This data and any written statements made by you in a chat module that is also available will only be available online until the end of the event. We also use a service provider (processor) to organise the online event: TeamViewer Germany GmbH, Bahnhofsplatz 2, 73033 Göppingen, which processes at least your IP address and the participant data entered at the beginning (name) as well as the transmitted audio and video data to technically enable the online event.
25. Data transfer to a third country
In the course of the TeamViewer Meeting, data is usually processed within the EU. In exceptional cases, data may also be transferred to third countries If TeamViewer transfers your personal data outside the EU or EEA to countries that do not have an adequate level of data protection recognised by the EU, e.g. to obtain intragroup IT services from Australia, the USA and Armenia, we will take protective measures to adequately protect your personal data. In particular, we will conclude model contracts with the relevant organisations. You can find more information on this at: https://www.teamviewer.com/de/datenschutzerklaerung/?t=1634912148821#meeting-recipient
26. Storage period of the personal data
If no recording is announced in advance, your data will only be stored by us during the organisation of the online event. Personal data will therefore be deleted as soon as its purpose (holding the meeting itself) no longer applies and there is no obligation to retain it. The latter is generally not the case in the context of meetings.
27. Your rights as a data subject
As a natural person, you have the right to information (pursuant to Art. 15 GDPR) from the controller about the personal data concerning you and to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) and restriction of processing (Art. 18 (1) GDPR). You also have the right to object to processing (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). If you would like to exercise your rights, please contact the data protection officer.
28. Right of appeal
You have the right to lodge a complaint with the competent supervisory authority. For Middle East Bank Munich Branch this is:
Bavarian State Office for Data Protection Supervision, P.O. Box 1349, 91504 Ansbach
or online at https://www.lda.bayern.de/de/beschwerde.html
The right of appeal exists without prejudice to other administrative or judicial remedies.