The following privacy policy provides an overview how your data is recorded and processed.

 

With the following information, we would like to give you an overview of how we process your personal data as well as your rights under the Data Protection Act. What specific data is processed in detail and how it will be used depends on the requested or agreed services.

 

1. Who is responsible for data processing and who can I contact?

 

Contact details as follows: 

GRENKE AG

Neuer Markt 2

76532 Baden-Baden, Germany

Phone: +49 7221 5007-0
Fax: +49 7221 5007-222 

 

You can reach our operational data protection officer at: 

GRENKE AG

Data protection officer

Neuer Markt 2

76532 Baden-Baden, Germany

E-mail: [email protected]

 

 

2. What sources and data do we use? 

 

We process personal data that we receive from our customers as part of our business relationship. In addition, we process – as far as necessary for the provision of our services – personal data that we might collect from publicly accessible sources (e.g. debtor directories, land registers, trade and association registers, press, internet) or that was obtained from our distribution partners or from other third parties (e.g. a credit agency). Finally, we process personal data of our shareholders, shareholder representatives, guests of the Annual General Meeting and analysts on the basis of our legal obligations.

 

Relevant personal data includes:

 

• Personal details (name, address, birthday, place of birth and nationality)
• Contact details (telephone, e-mail address)
• Verification data (e.g. ID data)
• Authentication data (e.g. signature sample)
• Order data (e.g. payment order)
• Data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions)
• Information about your financial situation (e.g. creditworthiness data, scoring/rating data, source of assets)
• Advertising and sales data (including advertising scores), documentation data (e.g. consultation minutes)

• Data in connection with the shareholder position, such as the number of shares, type of shares, type of share ownership or information on the bank holding your shares.

• Data in connection with the Annual General Meeting of GRENKE AG such as the number of the admission ticket, powers of attorney, instructions, etc.

 
and other data comparable to the aforementioned categories.

 

3. What do we process your data for (purpose of processing) and on what legal basis? 

 

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal German Data Protection Act (BDSG): 

 

a. For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR) 

 

Data is processed in order in order to provide financial services as part of the execution of our contracts with our customers or to carry out pre-contractual actions, which are carried out upon request. The purposes of data processing are primarily geared towards the specific product (e.g. leasing, factoring) and may include, but are not limited to, needs analysis, consulting and to perform transactions. 

 

b. As part of the balance of interests (Article 6 (1) (f) of the GDPR)

 

As far as necessary, we process your data beyond the actual fulfilment of the contract for the protection of our legitimate interests or those of third parties, in particular: 

 

• Consultation and exchange of data with credit agencies (e.g. SCHUFA) to identify credit risk or default risk

 

• For the purposes of examining possible credit risks and default risks as well as preventing criminal offences, we provide CRIF Bürgel GmbH, Radlkoferstraße 2, D-81373 Munich, Germany, with data on the application and the applicant. CRIF Bürgel GmbH will provide us with data stored on your person in the DSPortal (Deutsches Schutz Portal) if we have credibly demonstrated our legitimate interest.
• In addition, we transfer personal data collected in the context of this contract concerning the application, execution and termination of this business relationship as well as data on non-contractual or fraudulent behaviour to SCHUFA Holding AG, Kormoranweg 5, D-65201 Wiesbaden, Germany, and Creditreform Boniversum GmbH, Hellersbergstraße 11, D-41460 Neuss, Germany.
• The legal bases of these transfers are Article 6 (1) (b) and Article 6 (1) (f) of the GDPR. The legal basis of the transfers to CRIF Bürgel GmbH are additionally section 25 h of the German Banking Act as well as Art. 6 (1) (a) GDPR. Transfers on the basis of Article 6 (1) (f) of the GDPR may only be made to the extent necessary to safeguard our legitimate interests or those of third parties and provided these interests do not outweigh the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.
• The data exchange with the credit bureaus also serves the fulfilment of legal obligations to carry out creditworthiness checks of customers (section 505 a and section 506 of the Civil Code, section 18 a of the Banking Act).
  Credit agencies process the data obtained and also use it for the purposes of profiling (scoring) in order to provide their contractors in the European Economic Area and in Switzerland and, where applicable, other third-party countries (if there is an adequacy decision by the European Commission) with information in order to, inter alia, make assessments on the creditworthiness of natural persons.
  Detailed information according to Article 14 of the GDPR on the activities of the credit agencies can be found for the respective credit agency under the following links:

 

• Schufa Holding AG at www.schufa.de/datenschutz 
• Creditreform Boniversum GmbH at www.boniversum.de/EU-DSGVO 
• Bürgel Wirtschaftsinformation GmbH & Co KG at www.crifbuergel.de/de/datenschutz 

 

• Advertising-related communication via e-mail, post or telephone

 

• We shall process personal data – such as your name, address and contact details (e.g. e-mail, telephone numbers) – for the purposes of advertising-related communication, which may take place via various channels, such as e-mail, telephone or post, in accordance with prevailing legal requirements. We shall contact you on the basis of your consent in accordance with Article 6 (1) lit. a) GDPR or, if consent is not required, on the basis of our legitimate interests in accordance with Article 6 (1) lit. f) GDPR. We possess a legitimate interest in direct marketing if (and to the extent that) this is permitted by law, e.g. in the case of advertising vis-a-vis existing customers, and in building and maintaining our customer relationships.

 

• You shall have the right to revoke your consent at any time or to object to advertising-related communication at any time; further information on your rights as a data subject can be found in Clause 8 et seq. of this data protection declaration.

 

• Subsequent to revocation or objection, we may store the data required to prove consent for a period of up to three years on the basis of our legitimate interests before we delete it. The processing of this data shall be limited to the purpose of a possible defence against claims.

 

• Review and optimisation of requirements analysis procedures for direct customer contact
• Optimisation and needs-based design of the website
• Advertising or market and opinion research, provided that you have not objected to the use of your data
• Asserting legal claims and defence in legal disputes
• Ensuring the IT security and IT operation of our company
• Prevention and investigation of criminal offences
• Video surveillance for the protection of domiciliary rights, and for the collection of evidence in cases of robbery and fraud (see also section 4 BDSG)
• Measures for building and plant safety (e.g. access control)
• Measures to safeguard domiciliary rights
• Measures for business management and further development of services and products
• Quality assurance to optimize internal business processes

 

c. On the basis of your consent (Article 6 (1) (a)  GDPR)

 

Insofar as you have given us your consent to process your personal data for specific purposes (e.g., disclosure of data within the Group, or analysis of payment transaction data for marketing purposes), the legality of this processing is assured on the basis of your consent. Consent that has been issued can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into effect, i.e. before 25 May 2018. The revocation of consent does not affect the legality of the data processed until the revocation.
 
d. Based on legal requirements (Article 6 (1) (c) GDPR), legitimate interests (Art. 6  (1) (f) GDPR)  or in the public interest (Article 6 (1) (e)  GDPR)
 
In addition, we are subject to various legal obligations, i.e. legal requirements (e.g., the Banking Act, the Money Laundering Act, and tax laws) as well as banking supervisory requirements (e.g., the European Central Bank, the European Banking Authority, the Deutsche Bundesbank, and the Federal Financial Supervisory Authority). The purposes of the processing include, but are not limited to, the creditworthiness check, identity and age checks, prevention of fraud and money laundering, the fulfilment of tax auditing and reporting obligations, and the assessment and management of risks.

 

Due to legal obligations (Art. 6  (1) (c) DS-GVO), in particular § 67 AktG, § 123 (2) and (3) AktG, § 129 (1) sentence 2 AktG and § 55 BörsO FWB, as well as due to the legitimate interests in the context of the organization and orderly conduct of Annual General Meetings, we also process personal data of shareholders, shareholder representatives and, if applicable, guests at the Annual General Meeting of GRENKE AG (in particular name and contact details). The processing of this data is necessary for the participation of shareholders, shareholder representatives and possible guests in the Annual General Meeting or the holding of analyst events. Personal data is stored in accordance with legal obligations and then deleted.

 

4. Who receives my data?

 

Within our organisation, the entities that gain access to your data are those who need it in order to fulfil our contractual and legal obligations. Our service providers and vicarious agents may also receive data for these purposes. These are companies in the categories of financial services, IT services, logistics, printing services, telecommunications, debt collection, advising and consulting, as well as sales and marketing.

 

With respect to the disclosure of data to recipients outside our company, we may only disclose information about you if we are required to do so by law or if you have given us your consent to do so. Under these conditions, recipients of personal data may be, for example:

 

• Public authorities and institutions (e.g., Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, and the tax and law enforcement authorities) in the presence of a legal or regulatory obligation.
• Other credit and financial services institutions or
• comparable institutions to which we transfer personal data over the course of our business relationship with you (depending on the contract, e.g., correspondent banks, credit agencies).
• Other companies within the group
• for risk management due to legal or regulatory obligations.

 

Other data recipients may be those to whom you have given us your consent for your data to be submitted.

 

5. Is data transmitted to a third-party country or to an international organisation?

 

A transfer of data to official bodies in countries outside the European Union (so-called third-party countries) takes place, as far as

 

• this is required in order to execute your orders (e.g. payment orders),
• this is required by law (e.g. in order to comply with tax reporting obligations), or
• you have given us your consent.