The Deutsche Bundesbank processes personal data to the extent necessary to fulfil its legal obligations. These data include data that the Deutsche Bundesbank has collected about you. With a view to providing details on data processing, notifying you of your rights and complying with its requirement to provide information pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), the Deutsche Bundesbank hereby informs you of the following:

1. Contact address

Deutsche Bundesbank
Wilhelm-Epstein-Straße 14
60431 Frankfurt am Main
Postfach 10 06 02
60006 Frankfurt am Main

Telefon: +49 69 9566-0
Fax: +4969 9566-3077
E-Mail: info@bundesbank.de

2. Purpose of processing

Insight into and analysis of loans granted to natural persons that are to be reported to the Deutsche Bundesbank by institutions and enterprises subject to reporting requirements pursuant to Article 394 of the Capital Requirements Regulation (CRR) or Section 14 of the Banking Act (Kreditwesengesetz).

3. Legal basis for data collection

Article 4(1) number 39 and Article 394 of the CRR; Sections 14 and 19 of the Banking Act; the Regulation governing large exposures and loans of €1 million or more (Groß- und Millionenkreditverordnung); and the ITS on Supervisory Reporting of large exposures.

4. Categories of personal data processed

The categories of personal data processed are as follows:
Names, place of residence, date of birth, occupation, information on participatory relationships and/or membership of a borrower unit pursuant to Section 19(2) of the Banking Act and/or group of connected clients pursuant to Article 4(1) number 39 of the CRR or civil-law partnership and/or account partnership, borrower’s or borrower unit’s credit volume pursuant to Section 19(1) of the Banking Act, type of credit protection (if applicable), taxpayer number (if applicable).

5. Intention to transmit personal data to recipients in a third country or to an international organisation

It is not the intention of the Deutsche Bundesbank to transmit your data on loans of €1 million or more (Section 14 of the Banking Act) to a recipient in a third country (countries outside the European Union and the European Economic Area) or to an international organisation. Information on large exposures (Article 394 of the CRR) is passed on exclusively to the European Central Bank (ECB) and the European Banking Authority (EBA).

6. Data recipients

Your data are processed within the Deutsche Bundesbank by the responsible members of staff. Furthermore, in the context of cooperation on supervisory activities, the data are transmitted to the Federal Financial Supervisory Authority (BaFin) or the ECB and the EBA. Pursuant to Section 14(2) of the Banking Act, the lenders indicated in the reporting procedure are informed of their reported customers’ level of debt.

7. Duration of data retention

up to 20 years

8. Your rights as the data subject

You, as the data subject, have the right of access (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to erasure (Article 17 of the GDPR), the right to restriction of processing (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object (Article 21 of the GDPR). You also have the right to lodge a complaint with the competent supervisory authority, the Federal Commissioner for Data Protection and Freedom of Information.

9. Existence of automated decision-making (including profiling)

No automated decision-making takes place.

10. Source of personal data

The data source is the institution or enterprise subject to the reporting obligation pursuant to Section 14 of the Banking Act or Article 394 of the CRR.

11. Basis for the provision of your data and consequences of failure to provide personal data

Article 4(1) number 39 and Article 394 of the CRR; Sections 14 and 19 of the Banking Act; the Regulation governing large exposures and loans of €1 million or more (Groß- und Millionenkreditverordnung); and the ITS on Supervisory Reporting of large exposures. Provision of data is mandatory. The culpable breach of notification obligations constitutes an administrative offence, which, in the case of a breach of regulations governing the reporting of large exposures, carries a fine of up to €5,000,000 (Section 56(5) number 16 and Section 56(6) number 1 of the Banking Act) or, in the case of a breach of regulations governing loans of €1 million or more, carries a fine of up to €100,000 (Section 56(2) number 1 letter (d) and Section 56(6) number 4 of the Banking Act).