Privacy notice for customers

The following privacy notice provides an overview of how your data are collected, processed and used in connection with our business relationship.

The following information is intended to give you an overview of how we process your personal data and what your rights are under data protection laws. Which data are processed in detail and how they are used depends largely on the specific contractual relationship.

1. Who is responsible for data processing and whom can I contact?

The controller is:

KfW IPEX-Bank GmbH
Palmengartenstr. 5–9
60325 Frankfurt am Main, Germany

Tel: +49 69 74 31-33 00
Fax: +49 69 74 31-85 36

You can contact our data protection officer at:

KfW IPEX-Bank GmbH
Palmengartenstrasse 5–9
60325 Frankfurt am Main, Germany

2. Which sources and data are used?

We process personal data that we have received from our customers in connection with our business relationship, that we have acquired from publicly accessible sources (e.g. commercial registers, media, Internet), that we have obtained from our customers with their consent or that is justifiably transferred to us by other companies or other third parties.

2.1. Categories of personal data/type of data

Relevant personal data are, in particular, personal details (name, address and other contact details, date and place of birth and nationality, job title), identification data (e.g. ID data) and authentication data (e.g. sample signature).

2.2 Authentication information

KfW IPEX-Bank uses your authentication information (e.g. user name and password) to give only you access to confidential data.

Therefore, you should

  • keep your authentification information secret and not share it with third parties,
  • change them immediately if you suspect a password has been compromised,
  • not duplicate passwords across accounts.

3. For what purpose are your data processed and on what legal basis?

We process your personal data pursuant to the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgestz - BDSG) and other applicable legal provisions.

3.1 To fulfil contractual obligations

Data are processed to carry out banking transactions and financial services as part of contract fulfilment or to carry out pre-contractual measures upon request. Data are primarily processed in order to meet the requirements of the specific financing project and may include analyses of an investment's economic viability and social impact, advice and the execution of transactions.

3.2 To reconcile interests

If necessary, we also process your data to protect our justified interests or the justified interests of third parties. For example:

  • Advertising or market research and polling, as long as you have not objected to the use of your data,
  • Assertion of legal claims and defence in legal disputes,
  • Prevention and investigation of criminal activities,
  • Measures for business and risk management,
  • Maintaining the competitiveness of the sector through the use of efficiency-enhancing technologies (e.g. AI).

3.3 On the basis of your consent

If you have given us your consent to process personal data for specific purposes, such processing is legal on the basis of your consent. Consent is given voluntarily and may be withdrawn at any time. This also applies to the withdrawal of declarations of consent. Please note that the withdrawal will only take effect for the future. Processing that was carried out before consent was withdrawn is not affected by this.

3.4 On the basis of legal requirements

In addition, as a bank we are subject to various legal obligations, i.e. statutory re-quirements (e.g. German Banking Act (Kreditwesengesetz - KWG), Money Laundering Act (Geldwäschegesetz - GwG), Securities Trading Act (Wertpapierhandelsgesetz - WpHG), tax laws) and regulatory requirements (e.g. the European Central Bank, the European banking regulators, the German Bundesbank and the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht). The data are processed for purposes including measures for identity and age verification, fraud and money laundering prevention, the fulfilment of tax control and reporting obligations as well as risk evaluation and management.

4. Who receives my data?

Within the bank, the departments that need your data to fulfil the contractual relationship and legal obligations will be given access to your data.

Service providers and persons employed by us in the performance of our obligations (Erfüllungsgehilfen) may also obtain data for these listed purposes. They are contractually bound to the same data privacy standards, may only process your personal data to the same extent and for the same purposes as we do and are subject to our instructions. These are companies operating in the fields of banking services, consulting, and sales and marketing.

With respect to transferring data to recipients outside the bank, it is important to note that we comply with the applicable data privacy regulations. We may only disclose information about you if required to do so by law, if you have given your consent or if we are authorised to provide such information. Under these conditions, recipients of personal data could include:

  • public bodies and institutions (e.g. German Bundesbank, Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht), European banking regulators, European Central Bank, tax authorities, law enforcement authorities) in the event of a legal or official obligation;
  • other credit and financial services institutions or similar institutions to which we transfer personal data for the purpose of managing our business relationship with you (e.g. correspondent banks, custodian banks depending on the contract).

Other data recipients may be those bodies in respect of which you have given us your consent to the transfer of data.

5. How long will my data be stored?

If necessary, we process and store your personal data as long as necessary to satisfy contractual and legal obligations.

In addition, we are subject to various storage and documentation obligations arising from the German Commercial Code (Handelsgesetzbuch - HGB), the German Fiscal Code (Abgabenordnung - AO), the German Banking Act (Kreditwesengesetz - KWG), the German Money Laundering Act (Geldwäschegesetz - GwG) and the German Securities Trading Act (Wertpapierhandelsgesetz - WpHG). The periods for retention and documentation stipulated in these laws range from two to ten years. Finally, the storage period also depends on the statutory limitation periods, which may be as long as thirty years according to Articles 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch - BGB), whereby the regular limitation period is three years.

As soon as data storage is no longer necessary to execute the contractual relationship, there are no statutory retention periods and in individual cases there are no predominant justified interests for further storage, your data will be deleted.

6. Are data transferred to a third country or an international organisation?

Data may be transferred to third countries (countries outside the European Economic Area (EEA)) to the extent permitted by data privacy requirements, for example, if the data transfer is required to execute your contractual relationship, is prescribed by law or you have given us your consent. Insofar as personal data are transferred by KfW IPEX-Bank from the European Union/the European Economic Area to its branches and representative offices, KfW IPEX-Bank will make use of instruments that are conform with data protection requirements in order to ensure that the branches and representative offices process such data with due care in accordance with European standards (EU model clauses and, in the event of legally dependent branches and representative offices, a guarantee declaration under data protection laws, the content of which can be accessed electronically via the following link: guarantee declaration).

7. What data protection rights do I have?

Every person affected has the right to information about the processing of his or her personal data, the right to rectification, the right to deletion, the right to restrict pro-cessing, the right to withdraw consent and the right to data transferability within the framework of legal requirements. In addition, there is a right of appeal to a data protection supervisory authority.

8. Am I obligated to make data available?

Within the framework of our contractual relationship, you only have to provide the personal data necessary to enter into and execute a business relationship and fulfil the associated contractual obligations. Without this information, we will generally not be able to enter into or execute the contract with you or your company. In particular, under the money laundering provisions, we are obligated to identify you on the basis of your identification document before entering into the business relationship and to collect and record your name, place of birth, date of birth, nationality, address and identification data.

In order for us to comply with this legal obligation, you may have to provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship you or your company has requested.

9. To what extent is there automated decision-making in individual cases?

We do not use automated processes to initiate a decision on entering into and executing your business relationship.

10. To what extent is my data used for profiling (scoring)?

We do not process your data automatically with the aim of evaluating certain personal aspects (profiling or scoring).

Information on your rights to object

1. Individual right to object

You have the right to raise an objection, at any time, for reasons arising from your particular situation, to the processing of your personal data that is carried out on the basis of data processing in the public interest and data processing performed to reconcile interests; this also applies to profiling on the basis of this provision.

If you raise an objection, we will no longer process your personal data, unless we can provide compelling evidence as to why processing is worthwhile that override your interests, rights and freedoms, or unless processing serves to assert, exercise or defend legal claims.

2. Right to object to the processing of data for direct marketing purposes

In individual cases we process your personal data for direct marketing purposes. You have the right to raise an objection to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling, insofar as it is associated with direct advertising of this kind.

If you object to data processing for direct advertising purposes, we will no longer process your personal data for such purposes.

Objections may be raised informally and should be addressed to:

KfW IPEX-Bank GmbH
Palmengartenstr. 5–9
60325, Frankfurt am Main, Germany
Tel: +49 69 74 33-00
Fax: +49 69 74 31-85 36