Data Protection Notice

The responsible party is:

UniCredit Bank GmbH
Arabellastr. 12
81925 München
Telefon: +49 (0)89 378 – 0
E-Mail-Adresse: info@unicredit.de 

You can reach our Corporate Data Protection Officer at:

UniCredit Bank GmbH
Datenschutzbeauftragter
Postfach
80311 München
Telefon: +49 (0)89 378 – 0
E-Mail-Adresse: datenschutzrechte@unicredit.de

We process the personal data that we obtain from you, if you are interested in our products, sign up for a web service, contact us by E-Mail, Chat, or a contact form. Relevant personal data of prospective customers, applicants or customers can include:

• Personal details (e.g. name, address, e-mail address and other contact data)
• Order-related data (e.g. your banking account, tax identification number (TIN))
• Information regarding your financial situation (such as your monthly expenses)
• And other data comparable to the above categories.

When visiting the website we obtain by our IT systems technical data, as for example information about the internet browser, the operating system or the time of page view, in order to ensure an accurate provision of the website. The collection of data takes place, as soon as you open the website and is indispensable for the operation of the site.

In the context of our Internet presence we collect in additional data as for instance IP addresses and unique identifiers of devices as well as anonymous data about your online habits. This helps us to realize, whether and how you are on the way to our websites, in order to configure our web presence user-oriented and in line with demand.

Further information can be found on COOKIES.

In the context of our Internet presence we process various types of personal data in the following way:

• If you enroll for a service and give your personal details (as for example your name, address or email-address) we use your data only in order to communicate with you and for the purpose you dedicated your data to us respectively as far as this is necessary for the implementation of the service. If you enroll for a newsletter subscription, we use your data only for the newsletter-subscription.
• If you use our Internet presence in order to forward a message directly to us or place an order, we use your data after processing your order or your message in order to inform you about the subject you addressed in your message or about other subjects. This doesn’t apply if you objected to the use and the processing of data for purposes of direct advertising.

Any processing and use of your personal data extending beyond takes only place - except for the cases where we are legally bound - if you have given us your consent. On some sides of this website you have the opportunity to provide your consent (e.g. in order to contact you by telephone). In case of providing consent the purpose of data processing is predetermined. It goes without saying that consent is freely given and that your consent can be revoked at any time by telephone on 0800/1090903 or alternatively by forwarding an email to info@unicredit.de.

For the purpose of meeting contractual obligations (Art. 6 para. 1 b GDPR)

Data are processed to conduct banking business and provide financial services under the contracts with our customers and to implement pre-contractual measures, upon request (e.g. product and advisory inquiries of prospective customers and customers). The purposes for which data processing is used primarily depend on the specific product (e.g. consumers financing, account, loan) and can include requirements analysis and product selection, among other things. You can find additional details regarding the purposes for which data processing is utilized in the relevant contract documents and standard terms of business.

As part of balancing of interests (Art. 6 para. 1 f GDPR)

In addition to processing your data for the actual performance of the contract or for pre-contractual measures, we process your data to the extent necessary to protect our legitimate interests and those of third parties. Examples:

• Consulting and exchanging data with credit bureaus (e.g. SCHUFA) to determine the credit risk or risk of default in the lending transaction and the need for an attachment protection account or a basic account,
• Examining and optimizing requirements analysis procedures for the purpose of direct customer contact,
• Advertising or market-and-opinion research, to the extent that you have not objected to this use of your data,
• Analysis of information we obtain for quality improvement upon visiting our website,
• Analysis of results of marketing efforts in order to measure the efficiency and the relevance of our campaigns,
• Ensuring IT security and the security of the Bank’s IT operations,
• Taking measures to manage the business and further develop services and products

With your consent (Art. 6 para. 1 a GDPR)

To the extent that you have given us your consent to process your personal data for specific purposes (e.g. telephone contact and promotional approach), such processing is lawful based on your consent. Once given, your consent can be revoked at any time. This also applies to declarations of consent provided to us before the GDPR takes effect, i.e. before 25 May 2018. The revocation of consent does not affect the lawfulness of data processed before the revocation.

Based on legal obligations (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

Moreover, as a bank, we are subject to various legal obligations, i.e. statutory requirements (e.g. the German Banking Act [Kreditwesengesetz], the Money-Laundering Act [Geldwäschegesetz], the Securities Trading Act [Wertpapierhandelsgesetz], and the tax laws) as well as bank regulatory requirements (e.g. those imposed by the European Central Bank, the European banking regulator, the German Central Bank and the German Federal Financial Supervisory Authority). The purposes for which processing is used include fraud and money-laundering prevention and the fulfilment of control and reporting obligations under tax laws.

Within the Bank, those parties that need access to your data to meet our contractual and statutory obligations receive such access. Service providers and agents utilised by us can also receive data for these purposes if they maintain banking secrecy and data protection. With regard to this website we utilise companies in the categories of IT services as well as marketing and online audience measurement. We only engage selected service providers which are contractually obliged to process data solely in line with our instructions.

With respect to the disclosure of data to recipients outside of our Bank, it should first be noted that, as a bank, we are obliged to maintain confidentiality with respect to all customer-related facts and assessments of which we obtain knowledge (banking secrecy in accordance with No. 2 of our Standard Terms of Business). We may only disclose information regarding you when statutory provisions so require or when you have consented to this or we are authorised to issue a bank reference. Under these conditions, the following parties may receive your personal data, e.g.:

• Public bodies and institutions (e.g. the German Central Bank, the German Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, financial authorities, prosecuting authorities) if there is a statutory or regulatory obligation.
• Other banks and financial services institutions or comparable institutions to which we send personal data in the pursuit of our business relationship with you (depending on the contract, e.g. correspondent banks, custodian banks, stock exchanges, credit bureaus)

Data will only be transferred to countries outside the EU and the European Economic Area (so-called third countries), if this is required for the execution of your orders (e. g. payment orders and orders for securities), prescribed by law (e. g. reporting obligations under tax law), if you have given us your consent or in the context of commissioned data processing.

If service providers in a third country are used, data transfer is permissible, if the European Commission has decided that there is an adequate level of protection in the third country (Art. 45 GDPR). If the Commission has not made such a decision, UniCredit Bank GmbH or the service provider may only transfer personal data to a service provider in a third country if suitable guarantees have been provided (e. g. EU Standard Contractual Clauses) as well as enforceable rights and legal remedies are available.

In addition, UniCredit Bank GmbH has contractually agreed with its service providers that privacy principles with due observance of the European level of data protection, must always be ensured by their contract partners.

We process and store your personal data only for as long as necessary for the respective processing purposes.

If the data is no longer required for fulfilling contractual or legal obligations, it is regularly deleted — unless its continued (temporary) processing is necessary for purposes such as:

• Compliance with commercial and tax-related retention obligations: These include the German Commercial Code (HGB), the Fiscal Code (AO), the Banking Act (KWG), the Anti-Money Laundering Act (GwG), and the Securities Trading Act (WpHG). The retention and documentation periods specified therein range from two to ten years.

• Preservation of evidence for legal disputes within the framework of statutory limitation periods: Civil law limitation periods can be up to 30 years.

Every data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. The restrictions in §§ 34 and 35 BDSG apply to the right to information and the right of erasure. In addition, there is a right to lodge a complaint with a competent data protection authority (Article 77 GDPR in conjunction with § 19 BDSG).

In the case that you claim your data protection rights please contact our Corporate Data Protection Officer by reference to the Internet Presence www.hypovereinsbank.de. You can find further information about the processing of personal data by UniCredit Bank GmbH and your rights under data protection law at hvb.de/eu-gdpr-information.

This Internet presence doesn’t contain social plugins of social networks such as Facebook, Google+ or Twitter, but only hyperlinks to social networks. Hence these networks have no way of reconstructing your activities on our websites.

On our Internet presence www.hypovereinsbank.de we deploy YouTube on a few pages. YouTube is a videoportal of YouTube LLC., 901 Cherry Ave., 94066 San Bruno, CA, USA, hereinafter referred to as „YouTube“. YouTube is a subsidiary company of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as „Google“. 

We utilise YouTube in connection with a 2-click-solution in order to show videos to you. By using this solution for the integration of YouTube videos, we ensure that by starting the video you agree and consent with loading the YouTube player and therefore make a connection with YouTube’s server and transfer data. Before your video start, a YouTube connection is not made automatically. You will know a YouTube connection has been started when you see start screen „starting YouTube Video“. By clicking on YouTube Video information (including your IP-Address, the date, the time as well as the webpage visited by you) is transferred to the server of YouTube resp. Google in US. Moreover a connection is established to the commercial network „DoubleClick“ of Google. By starting the video further data processing operations can be initiated. Please note, that we have no influence on this.

Videos without designation within the start screen „starting YouTube Video“ are on our servers and don’t establish a connection to YouTube.

In case you are logged on YouTube at the same time, YouTube allocates the connection information to your YouTube-account. If you want to prevent this, you need to log off on YouTube or to adjust the settings in your YouTube-user account before you visit our Internet presence. For the purpose of functionality and analysis of user behaviour YouTube stores permanently cookies over your internet browser on your device. If you disagree with the processing, you can adjust the settings in your internet browser, in order to hamper the storage of cookies. You can find further information of Google about the collection and use of data, your rights in this regard and protection measures on https://www.google.de/intl/de/policies/privacy/

Description:
Strictly necessary cookies are essential for the security and stability of the website, load balancing, infrastructure monitoring, and enabling chat functionality. They also support processes such as tracking the progress of your product selection in application flows. Overall, they ensure proper and expected use of the website and are therefore not optional. Additionally, they store your preferences regarding consent-based cookies.

Strictly necessary cookies have a very short lifespan—typically only during your active session, and in exceptional cases, a few hours. Your preferences regarding consent-based cookies are stored for 3 months.

Storage Information:
These cookies have different lifespans depending on their functionality and purpose:

Maximum storage duration: 3 months

Details about hvb.de cookies

Description:
We are committed to continuously improving our online services. To do so, it is important for us to understand how different users interact with our website.

To analyze the usage of our public website hypovereinsbank.de (excluding the online banking area), we have engaged the service provider Adobe Systems Software Ireland Limited, located at 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland.

The website is measured using Adobe’s tool Adobe Analytics.

Data Processed:
Adobe Analytics stores a shortened version of your IP address, making it impossible to trace back to your original IP address. In general, no personally identifiable data is sent to Adobe Analytics in plain text. Relevant data fields are pseudonymized using the SHA-256 hashing method before being transmitted, ensuring that Adobe, as an external provider, cannot identify you personally.

HypoVereinsbank receives only statistical evaluations, which help us assess and optimize the user-oriented design of our website.

Storage Information:
These cookies have different lifespans depending on their functionality and purpose:

• Maximum storage duration: 3 years

Details about HVB.de cookies

If you have consented to the processing of statistical data, you can withdraw your consent at any time via this link.

If you allow us to use this type of cookie, you help us measure the success of our advertising campaigns and place them more effectively and in a more targeted manner. We are supported in this by various service providers.
You can find information about the individual providers and the technologies they use below.

Description:
Our service provider Virtual Minds GmbH, Ellen-Gottlieb-Straße 16, 79106 Freiburg im Breisgau, supports us in the area of marketing through its Adition Adserving Platform.

By consenting to this processing via cookies and so-called pixels, pseudonymized user profiles are created based on your usage of the HVB website and your interest in specific topics. These profiles are made available to the Adition server.

Based on your interests, our advertising partner can display relevant ads to you within its connected advertising network, e.g., on other websites. This allows us to extend the reach of our offerings while taking your preferences into account.

Data Processed:

• Internet connection information
  Details about your internet service provider and the type of connection you use, such as broadband, Wi-Fi, or mobile network.

• IP address collection

• Location information
  When using a mobile device and location services are enabled.

• Device information
  Device type and operating system.

• Internet application information
  Software used (app, browser, version, settings).

• Content usage and interactions
  Information about displayed advertisements: advertiser, ad content, interaction.

Storage Information:
Technical log files created during data transmission are automatically deleted after a maximum of 3 days. Cookies stored in the user's browser typically have a lifespan of 90 days. If the cookie is recognized again within this period, its lifespan is extended by another 90 days. If the identifier is not recognized for 90 days, the cookie is automatically removed from the user's browser.

• Maximum storage duration: 2 months and 29 days

Useful Additional Links:
Privacy Policy and Cookie Information of the Data Processor https://www.adition.com/en/privacy-platform/ 

Details about HVB.de Cookies

If you have consented to data processing by Adition, you can withdraw your consent at any time via this link.

Description:
We use Google Ads (formerly Google AdWords), a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

The integration of Google Ads on the HypoVereinsbank website serves marketing and optimization purposes—particularly to display relevant and engaging ads for you and to improve the performance of our advertising campaigns.

Google Ads Conversion Tracking allows us to measure the success of our campaigns. This service records what happens after a user clicks on an ad placed by us via Google Ads and subsequently visits our website.

Conversions (e.g., service orders, contact requests) resulting from paid campaigns help us evaluate the effectiveness of our ads, keywords, ad groups, and more.

Data Processed (excerpt):

• Clicked ads on Google
• Cookie IDs
• IP address
• Date and time of your visit to our site
• Browser information (e.g., language and type)
• Device information (e.g., mobile, Android)
• User behavior (actual conversions, e.g., contact form submitted)

Storage Information:
These cookies have different lifespans depending on their functionality and purpose:

• Maximum storage duration: 1 year and 1 month

Useful Additional Links

• Google Privacy Policy: https://policies.google.com/privacy?hl=de 

Details about HVB.de Cookies

If you have consented to data processing by Google Ads, you can withdraw your consent at any time via this link.

Description:
By consenting to these cookies, you help us make the advertising we show you more relevant. We focus on personalized interaction in the right context, adapting to what you clicked on during previous visits and what may personally interest you. To manage real-time interactions, we use a tool provided by an external service provider.

Data Processed:

• Personal information you provide when registering for a service, such as during registration for HVB Online Banking or other services (e.g., newsletter subscription).

• Personalized records of your usage of our online services: We collect detailed behavioral data based on your activities across digital channels (e.g., hypovereinsbank.de including subdomains, online and mobile banking) to identify your personal interests.

• Personalized records of your email usage: From your click behavior, we can determine how our email offerings are received and which products or services interest you.

• Internal banking data about your customer relationship (e.g., whether you hold a current account or a securities account with us).

We use this data for the following purposes:

• Targeted, needs-based customer communication across our digital channels
• Optimization of personalized advice, advertising, and market research
• Improved design of our website

If you have also given consent for the use of your data in online/mobile banking, we combine this information to offer you even more tailored services. This is only done if both consents have been provided.

Storage Information:
We use a cookie from our external service provider for personalization purposes to identify you.

• Maximum storage duration: 1 year

If you have consented to personalized data processing, you can withdraw your consent at any time via this link.

Description:
With your consent, the Mapbox mapping service (https://www.mapbox.com) is available to display the bank’s branches geographically. The provider is Mapbox Inc., 740 15th St NW, Washington, DC 20005, United States.
Terms of use: https://www.mapbox.com/legal/tos

The integration of the mapping service is carried out via our location marketing service provider uberall.com to enable the “Branch Finder” feature. To display the Mapbox map material in your web browser, your browser must establish a connection to a Mapbox server when accessing the branch search. This server may be located in the USA.
To enhance the usefulness of the “Branch Finder” feature, you may be asked to share your location. However, this is not a mandatory requirement for using the service.

Please note:
If you have enabled location sharing in your general browser settings, Mapbox may—upon your consent - also provide distance information to the respective branch locations for added convenience.

When viewing detailed branch information, such as booking an appointment, static images are used, and no communication with Mapbox takes place.

Useful Additional Links:

• Mapbox Terms of Use: https://www.mapbox.com/legal/tos

If you have consented to data processing by Mapbox, you can withdraw your consent at any time via this link.