Privacy Notice | HSBC Germany

Privacy Notice and Information regarding your right to object

Data protection information for our customers and business partners, their representatives, authorised agents and other persons associated with our customers and business partners, and with prospects

As at June 2023

The following data protection information provides an overview of how we collect and process your data.

The purpose of this document is to provide you with information about how we process your personal data and what rights you have in this respect under current data protection regulations. Which data is processed in detail, and how the data are used is largely determined by the requested respectively the agreed services.

1. Who is responsible for data processing and who can I contact?

The data controller is:

HSBC Continental Europe S.A., Germany
Hansaallee 3
40549 Düsseldorf, Germany
Telephone: +49 (0)211 9100
Fax: +49 (0)211 910 616
Email address: info@hsbc.de

Our data protection officer can be reached at the following address:

HSBC Continental Europe S.A., Germany
Data protection officer
Hansaallee 3
40549 Düsseldorf, Germany
Telephone: +49 (0)211 910 2006
Fax: +49 (0)211 9109 2125
Email address: datenschutz@hsbc.de

2. Which sources and data do we use?

We process personal data that we obtain in the course of our business relationships or the initiation of business relationships with our customers, their representatives, authorized agents and other persons associated with our customers, and with prospective customers. Where it is necessary in order for us to render our services, we also process personal data that we lawfully obtain from publicly available sources (e.g. land registers, commercial registers and registers of association, press, internet) or that is legitimately provided to us by other companies within the HSBC Group or other third parties.

Relevant personal data includes your particulars (e.g. name, address and other contact details, date and place of birth, and nationality), data concerning your credentials (e.g. ID data), and authentication data (e.g. template signature). This might also extend to order data (e.g. payment order, securities order), data from the fulfilment of our contractual obligations (e.g. sales data in payments processing), information regarding your financial situation (e.g. data regarding your creditworthiness or the source of your assets), information for tax purposes, marketing and sales information, documentation data (e.g. record of advice, notes taken during meetings with you) and other data that is comparable to the above categories.

3. Why do we process your data (processing purpose) and what is the legal basis for this?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG):

a. For the fulfilment of contractual obligations (Art. 6 (1) b GDPR)

Personal data (Art. 4 no. 2 GDPR) is processed for the purpose of providing banking services and financial services in order to fulfil our contracts with our customers or to conduct steps prior to entering into a contract upon request. Data processing is primarily carried out for reasons relating to the specific product (e.g. account, credit, securities services, deposits, or brokerage) and its objectives can include needs analyses, provision of advice, asset management services, and the execution of transactions. Further information on the purposes of the data processing can be found in the contractual documents and terms and conditions applicable to the products or transactions in question.

b. Based on the balancing of interests (Art. 6 (1) f GDPR)

If necessary, we will process data that goes beyond what is necessary simply for the fulfilment of the contract in order to safeguard our own, or a third party’s legitimate interests. Examples:

Needs analyses with a view to contacting customers or prospects directly,
Marketing, unless you have objected to the use of your data,
Assertion of legal claims and defense in the event of legal disputes,
Guaranteeing IT security and the Bank’s IT operations,
Prevention and investigation of criminal offences,
Video surveillance in order to exercise our right to determine who shall be allowed or denied access, to gather evidence in the event of robberies or fraud, or to substantiate cash receipts or pay-outs, e.g. at cash dispensers (see also section 4 BDSG),
Building and site security measures (e.g. access controls),
Measures to guarantee the domestic authority,
Measures related to business management and the further development of products and services.

c. Based on your consent (Art. 6 (1) a GDPR)

If you have given us your consent to process personal data for specific purposes (e.g. to record a phone call or contact you by email or telephone for marketing purposes), the processing of this data is lawful on the basis of your consent. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent granted to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that this withdrawal of consent is not retroactive. Data processing that took place before consent was withdrawn is not affected.

d. On the basis of statutory provisions (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)

As a bank, we are also subject to a range of legal obligations, i.e. statutory requirements (under the German Banking Act (KWG), the Anti-Money Laundering Act (GwG), the German Securities Trading Act (WpHG), and tax legislation, for example) and regulatory requirements (imposed by institutions such as the European Central Bank, European Banking Authority, Deutsche Bundesbank, and the Federal Financial Supervisory Authority). Data is processed for purposes including credit checks, identity and age checks, prevention of fraud and money laundering, the fulfilment of monitoring and reporting obligations under tax law, and the evaluation and management of risks within the Bank and the HSBC Group.

4. Who will receive my data?

Access to your data is provided to those departments within the Bank that need this data in order to meet our pre-contractual, contractual and legal obligations or that have a legitimate interest in accessing this data.

We only share your personal data with third parties as far as legally permitted, cf. Art. 6 GDPR.

So your personal data may be shared with third parties as other entities of the HSBC Group or service providers, as far as required for the purposes listed under section 3 of this Data Protection Information. These third parties are companies and businesses operating in the following areas: credit services, IT services, logistics, printing services, telecommunications, auditing, advice and consultancy, and sales and marketing. We have agreed on extensive contractual rules with all our data recipients to protect the data which shall be processed. Furthermore, our data recipients have an obligation of secrecy.

To fulfill a legal obligation recipients of personal data could include for example:

Public bodies and institutions (e.g. Deutsche Bundesbank, the German Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities, and law enforcement authorities) if a legal or official obligation exists.
Other banks and financial service institutions or similar bodies to which we provide personal data in order to conduct our business relationship with you (e.g. correspondent banks, depositary banks, stock exchanges, and credit agencies, depending on the contract)
Other companies within the HSBC Group for risk management purposes based on legal or official obligations.

We may provide information to further data recipients provided we have your consent for the disclosure to these bodies.

5. Will data be transferred to a third country or an international organisation?

The recipients mentioned under section 4 are located in- and outside of the European Economic Area (“EEA”). A data transfer to bodies in countries outside the European Union and outside the EEA (“third countries”) only takes place as far as:

this is necessary for the execution of your orders (e.g. payment orders and orders to buy or sell securities),
it is prescribed by law (e.g. reporting obligations under tax law),
you have given us your consent,
the European Commission has decided that the respective third country or a territory or one or more specified sectors within this third country ensure an adequate level of protection,
as far as countries are concerned which aren’t subject to such an adequacy decision we have ensured that appropriate measures within the meaning of GDPR are in place for the protection of your personal data (e.g. by agreeing between both parties involved in the data transmission, to Standard Contractual Clauses, which have been issued by the European Commission, and additionally by ensuring that appropriate security measures are in place (such as data encryption, pseudonymization)); or
the aforementioned is not applicable, but we nevertheless are allowed to transfer the data in a lawful manner, for example, when the transmission is necessary for the establishment, exercise or defense of legal claims.

Further details regarding the safeguards, which we have put in place for the transfer of personal data to third countries, as well as a copy of the agreed Standard Contractual Clauses may be requested under: datenschutz@hsbc.de.

6. How long is my data stored?

Where necessary, we will process and store your personal data for the duration of our business relationship with you. This includes the contract origination and implementation stages. It should be noted that our business relationship is a contract for the performance of continuing obligation that is intended to run for a number of years.

If the data is no longer required for the fulfilment of contractual or statutory duties, it is periodically deleted unless its continued processing – for a limited time – is necessary for the following purposes:

Fulfilment of duties to preserve records under commercial and tax law: relevant legislation in this respect includes, in particular, the German Commercial Code (HGB), the German Tax Code (AO), the KWG, the GwG and the WpHG. The time periods specified in these laws for the retention of records and/or documentation range from two to ten years.
Preservation of evidence in line with the statutory limitation periods. In accordance with section 195 et seq. of the German Civil Code (BGB), these limitation periods can last up to 30 years although the standard limitation period is three years.

7. What data protection rights do I have?

In accordance with the procedural rules set out in Article 12 GDPR, every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. The right of access and the right to erasure are subject to limitations under sections 34 and 35 BDSG.

Data subjects may consult the Bank’s data protection officer for any matters in relation to the processing of their personal data and the exercise of their rights in this regard (Article 38 (4) GDPR).

There is also a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

8. Do I have a duty to provide data?

Within the scope of our business relationship, you only need to provide the personal data that is required to establish, execute and terminate our business relationship and any information that we are legally obliged to collect. If such data is not provided, we will generally be unable to conclude a contract with you or execute an order for you and we may be forced to suspend the performance of any existing contract or terminate such an existing contract, if applicable.

In accordance with the anti-money laundering regulations, we are specifically obliged to identify you using an identification document prior to the establishment of the business relationship and to collect and record your name, place and date of birth, nationality, address, and identification data. So that we can satisfy this statutory obligation, you are required under applicable anti-money laundering legislation to provide us with the necessary information and documentation and to promptly notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we are not permitted to commence or continue the business relationship desired by you.

9. To what extent do we use automated decision-making?

We do not use fully automated decision-making processes within the meaning of Article 22 GDPR.

10. To what extent do we use my data for profiling?

For anti-money laundering purposes, we process your data on an automated basis with the aim of evaluating certain personal aspects (profiling). Statutory and regulatory provisions require us to take action against money laundering, the financing of terrorism, and other criminal offences that pose a threat to assets. Data analysis (including in relation to payments) forms part of these measures, which also serve to protect you.

Information regarding your right to object pursuant to Article 21 of the General Data Protection Regulation (GDPR)

1. Right to object on a case-by-case basis

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Article 6 (1) e GDPR (data processing in the public interest) or Article 6 (1) f GDPR (data processing on the basis of a balancing of interests); this also applies to any profiling based on this provision within the meaning of Article 4 no. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing the data which override your interests, rights and freedoms, or for the establishment, exercise, or defense of legal rights.

2. Objection to the processing of data for direct marketing

In individual cases, we use your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling, to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for this purpose.

The objection is not subject to any particular requirements of form and should, if possible, be addressed to:

HSBC Continental Europe S.A., Germany
Data Protection Officer
Hansaallee 3
40549 Düsseldorf, Germany
Telephone: +49 (0)211 910 2006
Fax: +49 (0)211 9109 2125
Email: datenschutz@hsbc.de