Privacy Notice: NORD/LB

Privacy Notice

We would like to give you the opportunity to view our current data protection information at any time

Customers and other affected parties

In this data protection notice, we inform you about which personal data we process in the context of our business relationship with you.

Image and video recordings

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

As part of the processing of your personal data, we collect not only your image or video recording, but also the information you have provided to us in your consent. In addition, your name may be processed if it is already known to us without your express consent.

This data is collected directly from you.

3. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank processes your personal data for the following purposes, among others:

Provision of the recordings to the participants;
Internal image database, or image archive;
use in the internal network (intranet);
Presentation and promotion of our own services;
References to other and similar events;
for our own print media and similar publications;
Advertising purposes;
Public coverage of the event;
Public Relations;
Use on our website;
Publication on social media (LinkedIn, Xing, Instagram and Facebook);
Management of your consent to the publication of photographs, in particular for the recording and processing of your revocation.

If we publish your image or video recordings outside of our internal intranet, we process your personal data on the basis of consent in accordance with Art. 6 (1) (a) GDPR.

When using image and video recordings that are used exclusively on our internal intranet, we process your personal data within the framework of our legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

4. Who gets your data?

The personal data and addresses of the consenters and the persons depicted will not be passed on to third parties.

The corresponding images are published in accordance with the consent given and can therefore be made available to an unspecified group of people, including abroad.

In addition, Norddeutsche Landesbank commissions various service providers as processors. These service providers, in particular from the "IT services and telecommunications" sector, may also have access to your personal data.

5. How long will your data be stored?

The images will be retained for as long as is necessary for the purposes mentioned. Internally, the recordings can be stored without restriction, for example to secure copyright claims by providing evidence of original recordings and for reasons of contemporary historical documentation. In the event of publication, the recordings may be made available as long as the respective publication carriers, articles or contributions are publicly available.

If we do not collect your personal data based on consent, we will process it until we receive your objection in accordance with Art. 21 GDPR. In the case of processing based on consent, the processing will also take place until you revoke it. The circumstances and duration of the consent as well as the declaration of consent itself will be stored until no more rights can be asserted against the bank based on the consent.

6. Is data transferred to a third country or to an international organization?

There is no intention to share your data with third parties. However, as part of a publication on our internal intranet, it could happen that employees at our international locations can also view your picture or video.

The images in question are published in accordance with the consent given and can therefore be made available to an unspecified group of people, including abroad.

A transfer of your personal data to a third country or an international organization takes place to the extent that the photos with your pictures are published on social media. The servers of the social media providers are usually located in a third country. Since there is no adequacy decision pursuant to Art. 45 GDPR and no suitable safeguards pursuant to Art. 46 GDPR that secure the transfer to the USA, the transfer can only take place here with your consent. If you have expressly consented to a transfer of your personal data, the transfer is justified in accordance with Art. 49 (1) (a) GDPR.

7. What data protection rights do you have?

Every data subject has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The right to information and the right to erasure are subject to the restrictions under §§ 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).

8. Is there an obligation for you to provide data?

The provision of your personal data is neither required by law nor contract, nor is it necessary for the performance of the employment relationship. There is no obligation to provide this data. However, the provision is necessary so that the photographs and video recordings can be used within the framework of the consent given.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Web conferencing tools

We hereby inform you about the processing of your personal data by Norddeutsche Landesbank Girozentrale (NORD/LB) in the context of the use of web conferencing tools as well as about your rights under data protection regulations.

1. Who is responsible for data processing and whom can I contact?

Controller:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Data Protection Officer:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What data is processed and from which sources does it originate?

We process personal data that you provide to us as part of the registration and participation in web conferences. These include:

Name, e-mail address, IP address
Image and sound data when the camera and microphone are actively used
Metadata about the connection and use of the web conferencing tool
Post-event feedback data

The data is collected directly from you.

3. What do we process your data for (purpose of processing) and on what legal basis?

Based on your consent (Art. 6 (1) (a) GDPR)

Registration to participate in virtual events
Sending access data and information
Recording of image and sound (only with prior consent)

In the context of the balancing of interests (Art. 6 (1) (f) GDPR)

Implementation and technical provision of the web conference
Ensuring functionality and security
Processing of feedback data
Record for documentation (unless consent is required)

In the context of the employment relationship (Art. 6 (1) (b) GDPR)

Use by employees in the context of official tasks

Based on legal obligations (Art. 6 (1) (c) GDPR)

Record-keeping obligations in the event of a legal requirement

4. Who gets your data?

Within the bank, only those departments that need it to carry out the web conference are granted access. In addition, the following recipients may be involved:

Processor for the web conferencing tool
Full-service partner for organization and implementation

It will not be passed on to other third parties.

5. Is data transferred to a third country or to an international organization?

The processing takes place exclusively within the EU/EEA. A transfer to third countries is not envisaged, unless you have previously consented, and an adequate level of data protection is ensured.

6. How long will your data be stored?

Web conference recordings: 7 days (with consent)
Other data: only for as long as necessary or required by law

7. Is there an obligation for you to provide data?

The provision of your personal data is voluntary. Without this data, however, participation in the web conference is not possible.

8. What data protection rights do you have?

9. Right of withdrawal

You can revoke your consent to processing at any time with effect for the future. After the revocation, your data will no longer be processed.

10. Automated decision-making and profiling

There is no automated decision-making and no profiling in accordance with Art. 22 (1) and (4) GDPR.

11. Information about your right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your personal data on the basis of Art. 6 (1) (f) GDPR on grounds relating to your particular situation.

In the event of an objection, your data will no longer be processed, unless there are compelling reasons worthy of protection or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Video surveillance

We hereby inform you about the processing of your personal data by Norddeutsche Landesbank Girozentrale (NORD/LB) in the context of video surveillance as well as about your rights under data protection regulations.

1. Who is responsible for data processing and whom can I contact?

Controller:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Data Protection Officer:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What data is processed and from which sources does it originate?

NORD/LB processes image data of persons who are in the monitored area. These include:

Video recordings of people on the premises, in branches and at ATMs
Identification features such as clothing and objects carried
Facial recognition for ATM transactions

The data is collected directly from the data subjects.

3. What do we process your data for (purpose of processing) and on what legal basis?

In the context of the balancing of interests (Art. 6 (1) (f) GDPR):

The processing is carried out for:
Preservation of domiciliary rights
Prevention and investigation of vandalism and crimes
Preservation of evidence
Protecting employees, customers and visitors
Clarification of deposit and withdrawal processes at ATMs

4. Who gets your data?

Within the bank, access is granted only to those entities that need it to fulfil the stated purposes. Only the following will be passed on:

To public bodies (e.g. police) in the event of a criminal offence
Within the framework of legal powers

There is no provision for transfer to third countries or international organisations.

5. How long will your data be stored?

Recordings in public spaces and foyers: 72 hours
Transaction-related recordings at ATMs: 90 days

6. Is there an obligation for you to provide data?

The provision of your personal data is not required by law or contract. Failure to provide it has no negative consequences.

7. What data protection rights do you have?

8. Is there automated decision-making or profiling?

There is no automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR.

9. Information about your right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your personal data on grounds relating to your particular situation, provided that this is carried out on the basis of Art. 6 (1) (f) GDPR.

In the event of an objection, your data will no longer be processed, unless there are compelling reasons worthy of protection or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank Girozentrale
Friedrichswall 10
30159 Hanover
Germany

E-mail: kundenservice@nordlb.de

Service providers

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations. Which data is processed in detail and in what way depends largely on the data that is necessary for the provision of the services agreed with you.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

We process personal data that we receive from you during our business relationship.

On the other hand, we process personal data that we have lawfully obtained from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, media) and are permitted to process.

Relevant personal data are personal data (e.g. name, address and other contact details, date and place of birth and nationality) and legitimation data (e.g. ID card data). In addition, this may also include data from the fulfilment of our contractual obligations, information about your financial situation (creditworthiness data, scoring/rating data, origin of assets), documentation data (e.g. suitability declaration), register data.

In addition, all contractual documents associated with the order, including the subject matter of the order, invoices, all correspondence, bank details and all other data arising in relation to the performance of a contractual relationship, will be processed. If necessary, insofar as this is necessary for the fulfilment of the contract initiation or implementation, professional data such as certificates and professional qualifications, etc.

The data is provided by the data subject directly or by the service provider commissioned or to be commissioned.

As part of your service relationship, the personal data provided by you (e.g. master data, emergency contacts) as well as those data that arise based on the potential/current or former contractual relationship (e.g. billing data) will be processed.

3. What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a. For the fulfilment of contractual obligations (Art. 6 (1) (b) GDPR)

The processing of personal data (Art. 4 No. 2 GDPR) is carried out for the establishment, administration and termination of contractual relationships.

The processing and transmission of personal data is carried out for the fulfilment of our contract or for the implementation of pre-contractual measures with you and the commissioning and execution of our orders.

This applies in particular to payroll accounting and contractual correspondence.

b. In the context of the balancing of interests (Art. 6 (1) (f) GDPR)

If necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. Examples:

Consultation with credit agencies (e.g. CREFO) to determine creditworthiness or default risks;
Asserting legal claims and defending in legal disputes;
ensuring the bank's IT security and operations;
Prevent misuse, theft, loss, unjustified use, transfer to third parties or alteration of bank-related data, including personal and other customer data and trade secrets;
prevention and investigation of criminal offences;
Video surveillance is used to collect evidence in the event of crimes. They thus serve to protect customers and employees as well as to exercise domiciliary rights;
building and plant security measures (e.g. access controls);
measures to ensure domiciliary rights;
Business management measures

c. Based on your consent (Art. 6 (1) (a) GDPR)

Insofar as you have given us consent to the processing of personal data for certain purposes, the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time.

Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

d. Due to legal requirements (Art. 6 (1) (c) GDPR)

As a bank, we are subject to various legal obligations, i.e. legal requirements (e.g. the Banking Act, the Money Laundering Act, the Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the Federal Financial Supervisory Authority as well as the savings bank supervisory authorities responsible under the respective state laws). The purposes of the processing include, among other things, the fulfilment of control and reporting obligations under tax law as well as the assessment and management of risks.

4. Who gets your data?

Within the bank, access to your data is granted to those entities that need it to fulfil our contractual and legal obligations. Processors used by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories of banking services, IT services, logistics, printing services, telecommunications, debt collection, consulting and consulting.

Outside the Bank, we may only pass on information about you if required by law, if you have consented or if we are authorised to provide information. Under these conditions, recipients of personal data can be, for example:

Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in the event of a legal or regulatory obligation.

Other data recipients may be those entities for which you have given us your consent to the transfer of data or for which you have released us from trade secrets in accordance with the agreement or consent.

5. How long will your data be stored?

If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract.

In addition, we are subject to various retention and documentation obligations, which result from the German Commercial Code (HGB), the Tax Code (AO), the Banking Act (KWG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG). The retention or documentation periods specified there are two to ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), can usually be 3 years, but in certain cases up to thirty years.

6. Is data transferred to a third country or to an international organization?

Data will only be transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the purpose of the service relationship, if it is required by law or if you have given us your consent. We will inform you separately about details if required by law.

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

As part of the service relationship, you only have to provide personal data that is necessary for the establishment, performance and termination of the contractual relationship or that we are legally obliged to collect. Without this data, we will usually no longer be able to conclude the contract or an existing contract and may have to terminate it.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Information about your right to object according to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing based on a balancing of interests).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: datenschutz@nordlb.de

Application procedure

The following data protection information provides an overview of the collection, processing and use of your personal data in connection with your application.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

We process personal data that we receive from you as part of your application.

Relevant personal data are personal identification data (name, address and other contact details, date and place of birth and nationality), electronic identification data (e.g. IP address, cookies, memberships (e.g. charitable or charitable organisations, associations, groups), and health data within the scope of permissibility (e.g. disability).

3. What do we process your data for (purpose of processing) and on what legal basis?

The purpose of the data processing is the initiation of an employment relationship in accordance with Art. 6 (1) (b) GDPR.

4. Who gets your data?

Within the bank and the group, those departments that need it to initiate the employment relationship will receive your data. Disclosure to authorities will only take place in the presence of overriding legal provisions.

Since application management is carried out via SAP Success Factors, your data will also be processed and stored by SAP. There is a contract with SAP for order processing in accordance with Art. 28 GDPR.

5. How long will your data be stored?

Your data will be stored for the duration of the application process. After a decision has been made on your application or after the position has been awarded, the data will be stored for 6 months. If you have agreed to be included in our talent pool in accordance with Art. 6 (1) (a) GDPR, your data will be stored for a maximum of two years. You can revoke this consent at any time.

6. Is data transferred to a third country or to an international organization?

Data will not be transferred to third countries (countries outside the European Economic Area -EEA).

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

As part of the application process, you only have to provide the personal data that is necessary for the establishment, implementation and termination of the contractual relationship or that we are legally obliged to collect.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

SWIFT transfer

In addition to our General Data Protection Notice, the Data Protection Notice in the Brokerage Business and the Terms and Conditions for Credit Transfers, we provide information below about the processing of your personal data in the case of cross-border credit transfers and express transfers within Germany by us and the Society for Worldwide Interbank Financial Telecommunication SC (SWIFT) as part of the SWIFT transaction processing service and the data protection regulations Claims and rights to which they are entitled.

NORD/LB processes your personal data together with SWIFT in the context of international and express transfers via the SWIFT transaction processing service.

1. Who is responsible for data processing and whom can I contact?

The SWIFT transaction processing service enables payment service providers, such as banks, to exchange the personal data necessary for the execution of payment orders. The respective responsibilities are defined in a joint contract pursuant to Art. 26 (1) GDPR between NORD/LB and SWIFT, which is referred to as the "SWIFT Personal Data Protection Policy".

Joint Controllers:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
Data Protection Officer: datenschutz@nordlb.de

Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Address: Avenue Adèle 1, B-1310 La Hulpe, Belgium

Phone: +32 2 655 31 11
Website: www.swift.com
Data Protection Officer: privacy.officer@swift.com

2. What do we process your data for (purpose of processing) and on what legal basis?

We process your personal data to safeguard the following legitimate interests in accordance with Art. 6 (1) (f) GDPR:

Settlement of payment orders within the framework of the SWIFT transaction processing service
Preliminary verification of payment orders, including verification of the existence of the payee's account
Monitoring and management of payment orders
Prevention and investigation of crimes
Risk management within NORD/LB and at the payment service providers connected to SWIFT

3. What sources and data do we use?

We process personal data that we have received from and derived from customers for the secure execution of payment orders for cross-border transfers and express transfers in Germany.

The personal data processed include:

Personal details (e.g. name, address)
Order data (e.g. account numbers of the client and the beneficiary)
Information on the intended use
Transaction identifiers (e.g. transaction reference number)

4. Who gets your data?

As part of the joint responsibility, the following entities have access to your data:

Institutions necessary to perform the SWIFT transaction processing service or to comply with legal obligations.
Service providers in the fields of specialist and IT services as well as telecommunications.

SWIFT processes pseudonymized data for statistical analyses and product development on its own responsibility. This data is used to detect anomalies for fraud prevention and to improve payment efficiency on the SWIFT network. This data is stored for a period of 13 months within the European Union and Switzerland. If you have any questions or requests for information, please contact SWIFT directly.

5. Is data transferred to a third country or to an international organization?

Data will be transferred to entities in countries outside the European Union (so-called third countries) if it is necessary for the execution of your payment orders or if it is legally required. Furthermore, a transfer to entities in third countries is provided for in the following cases, whereby data protection obligations are complied with when transferring data to third countries and additional technical and organizational measures are taken to protect personal data: For reasons of reliability, availability and security, SWIFT stores payment data in its data centers in the European Union, Switzerland and in the case of third-country transactions in the United States. If this is necessary in individual cases, your personal data will be transferred to an IT service provider

in the USA or another third country to ensure IT operations in compliance with the European level of data protection.

6. How long will your data be stored?

We process and store your personal data for as long as it is necessary for the performance of the SWIFT transaction processing service or for compliance with legal and legal obligations.

7. Is there an obligation for you to provide data?

The provision of your data is necessary in order to be able to securely execute your payment orders using the SWIFT transaction processing service.

8. What data protection rights do you have?

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

Within the framework of the SWIFT transaction processing service, there is generally no fully automated decision-making including profiling in accordance with Art. 22 GDPR.

10. What should you know about the right to object under Art. 21 GDPR?

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

If you wish to object to the processing of pseudonymised account statistics by SWIFT for the "Statistical Analysis and Product Development" service, please indicate your account number(s), the name of the account holder(s), the name(s), the BIC of your account-holding bank(s) (Business Identifier Code) and your e-mail address and send your objection to: opt.out@swift.com.

NORD/LB WLAN HotSpot "NLB-Guest"

NORD/LB offers the NORD/LB WLAN HotSpot "NLB-Guest". In doing so, we also process your personal data.

1. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank (NORD/LB) processes your personal data for the following purposes:

Technical access: IP addresses, MAC addresses and log files are required to give you access to the Wi-Fi guest network.
Location data: This data is derived from the connection to the WLAN and the location of NORD/LB and is necessary to provide the WLAN network at this location.
Connection data: Automatically collected information such as the time of connection, disconnection, roaming data and connection times is required to provide service.
Surfing behaviour: Data about your surfing behaviour is collected in order to apply blacklists and content filters. This is to prevent access to illegal or inappropriate internet services. Providers of guest Wi-Fi are obliged to prevent misuse via their networks. NORD/LB also stores this data in order to be able to provide information in the event of a lawful request from law enforcement authorities.
Use of data: All personal data is collected exclusively for the technical provision of Wi-Fi access and is not used for other purposes.

The legal basis for the processing of your data is your consent to the terms of use of the "NLB-Guest" Wi-Fi hotspot, which corresponds to a contractual agreement in accordance with Art. 6 (1) (b) GDPR.

2. What sources and data do we use?

When you connect to the Wi-Fi hotspot, device-specific identifiers and connection data are collected. This identification data is automatically collected by the central network management system and is necessary to enable the use of the hotspot.

3. Who gets your data?

Your personal data will not be passed on to third parties. The information will only be used in accordance with your consent to provide the Wi-Fi hotspot service.

NORD/LB has commissioned Telekom AG as a service provider and processor. These service providers, operating in the "IT Services and Telecommunications" category, may also have access to your personal data.

4. Is data transferred to a third country or to an international organization?

There is no intention to transfer personal data to third countries or international organisations. The service is provided exclusively in European data centers, and information is not forwarded to third countries.

5. How long will your data be stored?

All personal data is stored in the central management system for a maximum of 60 days and then automatically deleted.

6. Is there an obligation for you to provide data?

The provision of your personal data is neither required by law nor contract and is not necessary for the conclusion of a contract. However, if the Hotspot Service is not provided, it will not be possible to use it.

7. What data protection rights do you have?

8. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling in accordance with Art. 22 (1) and (4) GDPR.

VideoIDENT

How we handle your data and your rights

The following data protection information provides an overview of the collection, processing and use of your personal data in connection with VideoIDENT.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank Girozentrale
Data Preotection Officer
Friedrichswall 10
30159 Hanover
Germany

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

Various data is collected as part of the VideoIDENT procedure:

Identification data: This includes all information needed to verify identity, such as ID details (name, date of birth, address).
Verification data: This data is necessary to prove that the identification has been carried out. This includes, for example, scans of the ID card or recordings of the video identification process. This data will be processed in accordance with the provisions of the law and the legitimate interest.

3. What do we process your data for (purpose of processing) and on what legal basis?

All data collected or obtained during the VideoIDENT procedure will be used by NORD/LB for the purposes of personal identification on behalf of the respective business partner. The responsible person and contact person for questions about the processing of your data is the business partner.

The identification is necessary for the contractual relationship between the user and the business partner, usually due to legal requirements, the legal basis is therefore Art. 6 (1) (b) and (c) GDPR.

4. What data is processed and to what extent?

The scope of the processing and use of the data carried out by NORD/LB in the context of identification depends on the reason for identification, i.e. the intended or already existing contractual relationship between you as a user and the respective business partner involved, as well as the legal requirements for proof of identification (e.g. in accordance with the requirements of the Money Laundering Act, Telecommunications Act, etc.).

When carrying out identification with the VideoIDENT procedure, NORD/LB collects a maximum of the following data from the user (depending on the reason for use):

a. Identity card data

Salutation
Title/Academic Degree
Name
First name (all first names)
Birth name
Place of birth
Date of birth
Nationality
Street and house number
Postal code and city
ID card data (e.g. ID card type, ID card number, place and date of issue, issuing authority, period of validity)
Mobile phone number
E-mail address

As part of your identification, you may be sent a transaction number by e-mail, which can be used to start the identification process at any time. The user's e-mail address is required for this purpose. The mobile phone number is required as a secure second factor in the sense of two-factor authentication for the transmission of a TAN for individual procedures.

b. Verification data

If the business partner requests identification in accordance with certain legal requirements (e.g. Money Laundering Act (AMLA), Telecommunications Act (TKG), eIDAS (electronic IDentification, Authentication and trust Services Regulation, etc.), this includes the transmission of ID data and – depending on the identification procedure – the data of proof of identification (proof data). Depending on the procedure, this can be the following data:

Photo/screenshot of the user
Photo/scan of the identity document
Photo/scan of the driver's license
Recording (audio and video) of the entire identification process
Place and time of identification
Photo/scan of the signature

NORD/LB guarantees that all data collected is processed in accordance with the applicable data protection regulations.

5. Who gets your data?

If the identification is carried out in the context of a specifically desired contract conclusion with a business partner, the data required for the respective proof of identity will be transmitted to the desired business partner after completion of the identification.

Service companies and service providers are involved in the implementation of identification as well as customer service and IT services.

Data processing takes place exclusively on the territory of the European Union (EU) and in the European Economic Area (EEA) in audited data centers.

6. Is data transferred to a third country or to an international organization?

As part of the implementation of the VideoIDENT procedure through video chat, additional

a photo/screenshot of the user (portrait photo)
a photo/screenshot of the identity document and
a complete audio-visual call recording was made.

This recording data as well as the identification data may be used by NORD/LB for the purpose of monitoring the procedure, in particular for quality assurance measures with regard to compliance with the legal requirements of the procedure.

7. Possible processing of biometric data

Furthermore, biometric data can be processed through video chat as part of the implementation of the VideoIDENT procedure in order to better detect fraud attempts such as identity theft. The position data of the face is compared with the identity document.

Your biometric data is not stored. Only results of the processing that do not themselves constitute biometric data and do not allow any conclusions to be drawn about the person to be identified are stored. In addition, there is no further processing, such as for analysis or profiling