Privacy Notice

We would like to give you the opportunity to view our current data protection information at any time

Customers and other affected parties

In this data protection notice, we inform you about which personal data we process in the context of our business relationship with you.

License plate recognition

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-Mail: kundenservice@nordlb.de

You can contact our data protection officer at:
Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-Mail: datenschutz@nordlb.de

2. What types of personal data do we use?

According to the posted signs, the parking lot is under video surveillance. In this context, the following categories of personal data are processed:

Image and video recordings
License plates
Usage data (car park identifier, date and time of entry and exit)
Contact and Payment Information

For the use of the car park, it is possible to voluntarily use a customer account with the parking operator commissioned by us (e.g. to make parking transactions or payments more convenient).

If you use such a customer account, the processing of the personal data required for this purpose (e.g. registration, contact or payment data) is carried out by the parking operator in its own responsibility.

This data protection notice applies exclusively to the processing personal data in the context of the use of parking spaces, for which we
Responsible persons. For processing in connection with the customer account, the data protection information of the respective parking operator applies.

3. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank processes your personal data for the following purposes:

Access control and authorization verification;
Proper parking management;
handling of parking transactions;
Clarification of irregularities and abuse;
Exercising domiciliary rights and protecting property.

The processing of personal data is carried out on the basis of Art. 6 (1) (b) GDPR as a contractual service and Art. 6 (1) (f) GDPR on the basis of the legitimate interest of the controllers.

4. Who gets your data?

In principle, your personal data will only be processed by the which is necessary for the operation and management of the car park
are required.

The collection and technical processing of image, video and License plate data is provided by:

Arivo GmbH
Am Innovationspark 10
8020 Graz
Austria

Arivo GmbH is a company commissioned by us Parking lot operators as processors. The latter acts exclusively according to our instructions and does not process the data for its own purposes.

In addition, within our company, only those provide access to the data that they provide for the processing of the use of the parking space, to process payment transactions or to clarify irregularities.

It will not be passed on to other third parties, unless there is a statutoryt here is an obligation to do so.

5. How long will your data be stored?

We process and store personal data in connection with use of the parking space only for as long as it is necessary for the respective purposes is required. The storage period depends on the type of storage parking process and its completion status.

In the case of anonymous users, data will be deleted if no parking space is used after a few minutes at the latest. In the case of anonymous, duly completed and paid parking transactions are stored for up to one day.

When registered users complete their parking transactions, the data is stored for up to 30 days. If billing is made on account, the data will be retained for up to 30 days after invoicing. Completed parking sessions with unpaid costs will be storedincompl for up to 90 days
to allow manual clarification.

Incomplete parking transactions are stored for varying periods depending on the circumstances. In the case of subsequently duly paid
parking transactions, the storage period is up to 30 days. Rejected transactions of registered users are stored for up to 7 days. Open or improperly completed parking transactions will be charged for stored for up to 90 days.

After the expiry of the respective deadlines, the data will be deleted or irreversibly anonymized. Longer storage will only take place if
this for the assertion, exercise or defence of legal claims or due to statutory retention obligations.

6. Is data transferred to a third country or to an international organization?

The processing of personal data is carried out by us as well as by a parking operator commissioned by us as a processor.

A transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) does not take place in principle. If, in individual cases, access from a third country should be required by the processor (e.g. as part of support or maintenance services), this exclusively in compliance with the legal requirements of the Art. 44 et seq. GDPR and on the basis of appropriate safeguards.

7. What data protection rights do you have?

Every data subject has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The right to information and the right to erasure are subject to the restrictions under §§ 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).

8. Is there an obligation for you to provide data?

The provision of certain personal data is necessary to allow the use of the parking lot. These include, in particular:
data used for access control, the processing of the parking process and may be necessary for payment processing.

If the required personal data is not provided, the use of the car park may not be allowed in whole or in part. as proper access control and handling of the parking process is not possible in this case.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Contact form

We hereby inform you about the processing of your personal data in the context of the use of the contact form by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale –
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-Mail: kundenservice@nordlb.de

You can contact our data protection officer at:
Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-Mail: datenschutz@nordlb.de

2. What types of personal data do we use?

We process personal data that you voluntarily submit to us as part of the use of the contact form.

These include, in particular:

Last name, first name
Email address
Phone number (if provided)
Company (if specified)
All contents of your request

3. What do we process your data for (purpose of processing) and on what legal basis?

We process your personal data exclusively for the purpose of processing your contact request and communicating with you.

The processing of personal data is carried out on the basis of Art. 6 (1) (a) GDPR on the basis of your consent and Art. 6 (1) (b) GDPR as a (pre-)contractual service, provided that your request is related to an existing or potential contractual relationship.

4. Who gets your data?

Within NORD/LB, only those departments that need it to process your request will have access to your information. Your personal data will not be passed on to external third parties unless there is a legal basis for this or you do not give us express consent.

5. How long will your data be stored?

The personal data transmitted via the contact form will only be stored for the duration of the processing of your request and will then be deleted or blocked, unless there are any statutory retention periods to the contrary.

6. Is data transferred to a third country or to an international organization?

A transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) will take place
does not take place in principle. If, in individual cases, access from a third country by the processor is necessary (e.g. in the context of support or maintenance services), this is carried out exclusively in compliance with the legal requirements of Art. 44 et seq. GDPR and on the basis of suitable guarantees.

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

To use the contact form, it is mandatory to provide your full name and e-mail address. This information is required in order to classify your request in the best possible way and to contact you if necessary.

The provision of further data is voluntary.

If the required personal data is not provided, the use of the contact form may not be possible in whole or in part. as proper contact is not possible in this case.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Whistleblower system

We operate a whistleblower system and an online reporting service associated with it. The following information serves to ensure transparency under data protection law when using this online reporting service, about the handling of reports received and about the type, scope and purpose of the collection and use of the data.

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale –
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-Mail: kundenservice@nordlb.de

You can contact our data protection officer at:
Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-Mail: datenschutz@nordlb.de

2. What types of personal data do we use?

We process personal data that you provide to us in the context of submitting a notice.

These may include can be in particular:

Salutation
Last name, first name
Email address
Phone number
Other personal data that you voluntarily provide as part of your report

3. What do we process your data for (purpose of processing) and on what legal basis?

The whistleblower system is used to receive and process reports of possible violations or other grievances within the meaning of the statutory whistleblower regulations.

This includes, but is not limited to:

Criminal offences
Violations of legal or regulatory requirements
Violations of internal guidelines
Process deficiencies or weaknesses that create a need for action.

The processing of personal data is carried out on the basis of Art. 6 (1) (a) GDPR on the basis of your consent, if you voluntarily transmit the personal data, Art. 6 (1) (c) GDPR within the framework of a legal obligation in the course of whistleblower protection, and Art. 6 (1) (f) GDPR on the basis of the legitimate interest of the controllers in the investigation and prevention of violations.

4. Who gets your data?

Information will only be forwarded to NORD/LB's money laundering officer.

Within the framework of the statutory mandate, the Money Laundering Officer decides whether other competent internal bodies must be involved (e.g. Compliance, Legal Department, Auditing). This is always done while maintaining the greatest possible protection of your identity.

Disclosure to external third parties will only take place if:

there is a legal obligation, or
this is necessary for cooperation with investigating authorities, or
You have expressly consented.

5. How long will your data be stored?

Your personal data will only be stored for as long as is necessary for the processing, clarification and documentation of the reported facts.

In addition, we are subject to various retention and documentation obligations, which result from the German Commercial Code (HGB), the Tax Code (AO), the Banking Act (KWG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG). The retention or documentation periods specified there are two to ten years.
Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), can usually be 3 years, but in certain cases up to thirty years.

6. Is data transferred to a third country or to an international organization?

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

To submit a tip, it is mandatory to provide your full name and e-mail address. This information is required in order to classify your request in the best possible way and to contact you if necessary.

The provision of further data is voluntary.

If the required personal data is not provided, the transmission of a report may not be carried out in whole or in part. as proper contact is not possible in this case.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Newsletters

We hereby inform you about the processing of your personal data in the context of registration, the newsletter provided by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale –
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-Mail: kundenservice@nordlb.de

You can contact our data protection officer at:
Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-Mail: datenschutz@nordlb.de

2. What types of personal data do we use?

We process personal data that you provide to us as part of the newsletter registration.

Relevant personal data is in particular:

Email address (mandatory)
First name, surname, company (optional)
Technical protocol data of the DoubleOptIn procedure (e.g. IP address, timestamp of registration and confirmation)

3. What do we process your data for (purpose of processing) and on what legal basis?

The purpose of data processing is to send our newsletter and to document your consent.

The processing is carried out on the basis of Art. 6 para. 1 lit. a) GDPR (consent). Your consent will be obtained through the double opt-in procedure. This means that after you sign up, you will receive an email with a confirmation link. Only after clicking on this link is the registration complete.

4. Who gets your data?

Within NORD/LB, only those departments that need it to send and manage the newsletter will have access to your data.

5. How long will your data be stored?

Your personal data will be stored until you withdraw your consent. After unsubscribing from the newsletter, your data will be deleted from the mailing list immediately.

We store log data for the double opt-in (e.g. time of registration and confirmation) for a reasonable period of time due to legal obligations to provide evidence.

6. Is data transferred to a third country or to an international organization?

As a matter of principle, personal data will not be transferred to countries outside the European Union (EU) or the European Economic Area (EEA). If, in individual cases, access from a third country by the processor is necessary (e.g. in the context of support or maintenance services), this is carried out exclusively in compliance with the legal requirements of Art. 44 et seq. GDPR and on the basis of suitable guarantees.

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

To receive our newsletter, you only need to provide the personal data required to send it (e-mail address). The provision of further data is voluntary.
Without providing the e-mail address, we cannot send you the newsletter.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Event registrations

The following data protection information provides an overview of the collection, processing and use of your personal data in connection with your registration for our events.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale –
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-Mail: kundenservice@nordlb.de

You can contact our data protection officer at:
Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-Mail: datenschutz@nordlb.de

2. What types of personal data do we use?

We process personal data that you provide to us as part of your event registration via the corresponding registration form.
Relevant personal data is:

Salutation
Last name, first name
Address
Phone number
Email address
Company / Organization (if specified)
If applicable, other voluntary information that is necessary for the implementation of the event.

3. What do we process your data for (purpose of processing) and on what legal basis?

The purpose of the data processing is to process your registration, the planning, implementation and follow-up of the respective event.

The processing is carried out on the basis of Art. 6 (1) (a) GDPR (consent). After submitting the form, we receive a notification offired your registration. Without providing the data required for registration, participation in the event is not possible.

4. Who gets your data?

Within NORD/LB, only those departments that need it to carry out the event will have access to your data. Disclosure to external third parties will only take place if this is necessary for the event organization.

If an external service provider is involved, this is done on the basis of a data processing agreement in accordance with Art. 28 GDPR.

5. How long will your data be stored?

6. Is data transferred to a third country or to an international organization?

Your personal data will not be transferred to a third country (outside the EEA).

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

You only have to provide the personal data that is necessary for registration and participation in the event. Without this data, it is not possible to consider your registration.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Image and video recordings

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

As part of the processing of your personal data, we collect not only your image or video recording, but also the information you have provided to us in your consent. In addition, your name may be processed if it is already known to us without your express consent.

This data is collected directly from you.

3. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank processes your personal data for the following purposes, among others:

Provision of the recordings to the participants;
Internal image database, or image archive;
use in the internal network (intranet);
Presentation and promotion of our own services;
References to other and similar events;
for our own print media and similar publications;
Advertising purposes;
Public coverage of the event;
Public Relations;
Use on our website;
Publication on social media (LinkedIn, Xing, Instagram and Facebook);
Management of your consent to the publication of photographs, in particular for the recording and processing of your revocation.

If we publish your image or video recordings outside of our internal intranet, we process your personal data on the basis of consent in accordance with Art. 6 (1) (a) GDPR.

When using image and video recordings that are used exclusively on our internal intranet, we process your personal data within the framework of our legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

4. Who gets your data?

The personal data and addresses of the consenters and the persons depicted will not be passed on to third parties.

The corresponding images are published in accordance with the consent given and can therefore be made available to an unspecified group of people, including abroad.

In addition, Norddeutsche Landesbank commissions various service providers as processors. These service providers, in particular from the "IT services and telecommunications" sector, may also have access to your personal data.

5. How long will your data be stored?

The images will be retained for as long as is necessary for the purposes mentioned. Internally, the recordings can be stored without restriction, for example to secure copyright claims by providing evidence of original recordings and for reasons of contemporary historical documentation. In the event of publication, the recordings may be made available as long as the respective publication carriers, articles or contributions are publicly available.

If we do not collect your personal data based on consent, we will process it until we receive your objection in accordance with Art. 21 GDPR. In the case of processing based on consent, the processing will also take place until you revoke it. The circumstances and duration of the consent as well as the declaration of consent itself will be stored until no more rights can be asserted against the bank based on the consent.

6. Is data transferred to a third country or to an international organization?

There is no intention to share your data with third parties. However, as part of a publication on our internal intranet, it could happen that employees at our international locations can also view your picture or video.

The images in question are published in accordance with the consent given and can therefore be made available to an unspecified group of people, including abroad.

A transfer of your personal data to a third country or an international organization takes place to the extent that the photos with your pictures are published on social media. The servers of the social media providers are usually located in a third country. Since there is no adequacy decision pursuant to Art. 45 GDPR and no suitable safeguards pursuant to Art. 46 GDPR that secure the transfer to the USA, the transfer can only take place here with your consent. If you have expressly consented to a transfer of your personal data, the transfer is justified in accordance with Art. 49 (1) (a) GDPR.

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

The provision of your personal data is neither required by law nor contract, nor is it necessary for the performance of the employment relationship. There is no obligation to provide this data. However, the provision is necessary so that the photographs and video recordings can be used within the framework of the consent given.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Web conferencing tools

We hereby inform you about the processing of your personal data by Norddeutsche Landesbank Girozentrale (NORD/LB) in the context of the use of web conferencing tools as well as about your rights under data protection regulations.

1. Who is responsible for data processing and whom can I contact?

Controller:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Data Protection Officer:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What data is processed and from which sources does it originate?

We process personal data that you provide to us as part of the registration and participation in web conferences. These include:

Name, e-mail address, IP address
Image and sound data when the camera and microphone are actively used
Metadata about the connection and use of the web conferencing tool
Post-event feedback data

The data is collected directly from you.

3. What do we process your data for (purpose of processing) and on what legal basis?

Based on your consent (Art. 6 (1) (a) GDPR)

Registration to participate in virtual events
Sending access data and information
Recording of image and sound (only with prior consent)

In the context of the balancing of interests (Art. 6 (1) (f) GDPR)

Implementation and technical provision of the web conference
Ensuring functionality and security
Processing of feedback data
Record for documentation (unless consent is required)

In the context of the employment relationship (Art. 6 (1) (b) GDPR)

Use by employees in the context of official tasks

Based on legal obligations (Art. 6 (1) (c) GDPR)

Record-keeping obligations in the event of a legal requirement

4. Who gets your data?

Within the bank, only those departments that need it to carry out the web conference are granted access. In addition, the following recipients may be involved:

Processor for the web conferencing tool
Full-service partner for organization and implementation

It will not be passed on to other third parties.

5. Is data transferred to a third country or to an international organization?

The processing takes place exclusively within the EU/EEA. A transfer to third countries is not envisaged, unless you have previously consented, and an adequate level of data protection is ensured.

6. How long will your data be stored?

Web conference recordings: 7 days (with consent)
Other data: only for as long as necessary or required by law

7. Is there an obligation for you to provide data?

The provision of your personal data is voluntary. Without this data, however, participation in the web conference is not possible.

8. What data protection rights do you have?

9. Right of withdrawal

You can revoke your consent to processing at any time with effect for the future. After the revocation, your data will no longer be processed.

10. Automated decision-making and profiling

There is no automated decision-making and no profiling in accordance with Art. 22 (1) and (4) GDPR.

11. Information about your right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your personal data on the basis of Art. 6 (1) (f) GDPR on grounds relating to your particular situation.

In the event of an objection, your data will no longer be processed, unless there are compelling reasons worthy of protection or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Transcription and Recording function

We hereby inform you about the processing of your personal data by us and about your rights under applicable data protection law.

1. Who is responsible for data processing and who can I contact?

The controller is:
Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502

You can contact our data protection officer at:

Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361 2808
E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

In the context of business meetings in Microsoft Teams, the transcription and recording functions can be used. Personal data of the persons participating in the meeting are processed. During transcription, spoken language is automatically converted into text. There is no storage of sound or image data. The transcribed text is assigned to individual users exclusively via the technical audio track. If a person attends on-site via a meeting room (e.g., Surface Hub), their speech will not be assigned by name. During the recording, audio and image data of the meeting are stored. The recording is stored in the OneDrive of the recording user and automatically deleted after 60 days at the latest. There is neither automated recognition nor assignment of voice or facial features. There is no processing of special categories of personal data within the meaning of Art. 9 GDPR. This data is collected directly from you by participating in a transcribed and/or recorded meeting.

3. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank processes your personal data exclusively for the purposes listed below:

Documentation of the contents of conversations;
Support for record keeping and follow-up;
Quality assurance and internal organization;
Knowledge retention (e.g. on the traceability of decisions).

Transcription and recording are not carried out for performance or behavioral control.

The processing of personal data within the framework of the transcription and recording function is carried out based on Art. 6 (1) (f) GDPR (legitimate interest).

4. Who gets your data?

The personal data of the participants will not be passed on to third parties. The text data generated in the course of transcription and recording is processed exclusively for a specific purpose and can be made accessible to an unspecified internal group of people (e.g. meeting participants or internal departments). Since the transcription and recording is carried out via Microsoft Teams, Microsoft, as the provider of the M365 platform, in particular has access to the personal data to the extent that this is necessary for the technical provision, intermediate storage and processing of the transcription and recording function. Microsoft acts as a processor for Norddeutsche Landesbank and processes the data exclusively according to our instructions. In addition, Norddeutsche Landesbank commissions other service providers as processors. These service providers, in particular from the field of "IT services and telecommunications", may also have access to your personal data insofar as this is necessary for technical support or the operation of the systems used.

5. How long will your data be stored?

The transcriptions and recordings are retained for 60 days by default and then automatically deleted if they remain in the OneDrive folder. If the files are stored elsewhere, every employee within the Norddeutsche Landesbank is required to delete the transcriptions and recordings after 60 days. The transcripts and recordings generated are stored exclusively for the purposes for which they were created. Internally, transcripts and recordings may be retained for a period of 60 days if this is necessary for organisational reasons.

6. Is data transferred to a third country or to an international organization?

There is no intention to share your data with third parties. However, as part of using Microsoft Teams, technical systems at Microsoft international locations may also be able to access your data. Depending on the respective context of use, the data processed in the context of transcription and recording may be made available to an unspecified internal group of persons. A transfer of your personal data to a third country or an international organization takes place to the extent that Microsoft processes data in the context of the use of Microsoft Teams. Microsoft's servers may be located in a third country, specifically the United States. For the processing of your personal data in the context of the use of Microsoft Teams, there is a data processing agreement with Microsoft in accordance with Art. 28 GDPR. Microsoft processes the data exclusively in accordance with our instructions and uses EU standard contractual clauses as well as additional technical and organizational measures to ensure an adequate level of protection. Your personal data may be transferred to a third country to the extent that Microsoft accesses servers in the United States or other third countries as part of the technical provision and processing of Microsoft Teams. The data transfer is not based on consent, but on the guarantees implemented in the order processing relationship in accordance with Art. 46 GDPR, in particular the EU standard contractual clauses and supplementary protective measures of Microsoft.

7. What privacy rights do you have?

8. Is there an obligation for you to provide data?

The provision of your personal data is not required by law.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Information about your right to object according to Art. 21 GDPR

You have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation, insofar as processing is carried out on the basis of Art. 6 (1) (f) GDPR (legitimate interest). In the event of a justified objection, your personal data will not be processed further in the future. The objection can be made in any form, stating the meeting title and the meeting creator and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: datenschutz@nordlb.de

Video surveillance

We hereby inform you about the processing of your personal data by Norddeutsche Landesbank Girozentrale (NORD/LB) in the context of video surveillance as well as about your rights under data protection regulations.

1. Who is responsible for data processing and whom can I contact?

Controller:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

Data Protection Officer:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What data is processed and from which sources does it originate?

NORD/LB processes image data of persons who are in the monitored area. These include:

Video recordings of people on the premises, in branches and at ATMs
Identification features such as clothing and objects carried
Facial recognition for ATM transactions

The data is collected directly from the data subjects.

3. What do we process your data for (purpose of processing) and on what legal basis?

In the context of the balancing of interests (Art. 6 (1) (f) GDPR):

The processing is carried out for:
Preservation of domiciliary rights
Prevention and investigation of vandalism and crimes
Preservation of evidence
Protecting employees, customers and visitors
Clarification of deposit and withdrawal processes at ATMs

4. Who gets your data?

Within the bank, access is granted only to those entities that need it to fulfil the stated purposes. Only the following will be passed on:

To public bodies (e.g. police) in the event of a criminal offence
Within the framework of legal powers

There is no provision for transfer to third countries or international organisations.

5. How long will your data be stored?

Recordings in public spaces and foyers: 72 hours
Transaction-related recordings at ATMs: 90 days

6. Is there an obligation for you to provide data?

The provision of your personal data is not required by law or contract. Failure to provide it has no negative consequences.

7. What data protection rights do you have?

8. Is there automated decision-making or profiling?

There is no automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR.

9. Information about your right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your personal data on grounds relating to your particular situation, provided that this is carried out on the basis of Art. 6 (1) (f) GDPR.

In the event of an objection, your data will no longer be processed, unless there are compelling reasons worthy of protection or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank Girozentrale
Friedrichswall 10
30159 Hanover
Germany

E-mail: kundenservice@nordlb.de

Service providers

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the data protection regulations. Which data is processed in detail and in what way depends largely on the data that is necessary for the provision of the services agreed with you.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank - Girozentrale -
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

We process personal data that we receive from you during our business relationship.

On the other hand, we process personal data that we have lawfully obtained from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, media) and are permitted to process.

Relevant personal data are personal data (e.g. name, address and other contact details, date and place of birth and nationality) and legitimation data (e.g. ID card data). In addition, this may also include data from the fulfilment of our contractual obligations, information about your financial situation (creditworthiness data, scoring/rating data, origin of assets), documentation data (e.g. suitability declaration), register data.

In addition, all contractual documents associated with the order, including the subject matter of the order, invoices, all correspondence, bank details and all other data arising in relation to the performance of a contractual relationship, will be processed. If necessary, insofar as this is necessary for the fulfilment of the contract initiation or implementation, professional data such as certificates and professional qualifications, etc.

The data is provided by the data subject directly or by the service provider commissioned or to be commissioned.

As part of your service relationship, the personal data provided by you (e.g. master data, emergency contacts) as well as those data that arise based on the potential/current or former contractual relationship (e.g. billing data) will be processed.

3. What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a. For the fulfilment of contractual obligations (Art. 6 (1) (b) GDPR)

The processing of personal data (Art. 4 No. 2 GDPR) is carried out for the establishment, administration and termination of contractual relationships.

The processing and transmission of personal data is carried out for the fulfilment of our contract or for the implementation of pre-contractual measures with you and the commissioning and execution of our orders.

This applies in particular to payroll accounting and contractual correspondence.

b. In the context of the balancing of interests (Art. 6 (1) (f) GDPR)

If necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. Examples:

Consultation with credit agencies (e.g. CREFO) to determine creditworthiness or default risks;
Asserting legal claims and defending in legal disputes;
ensuring the bank's IT security and operations;
Prevent misuse, theft, loss, unjustified use, transfer to third parties or alteration of bank-related data, including personal and other customer data and trade secrets;
prevention and investigation of criminal offences;
Video surveillance is used to collect evidence in the event of crimes. They thus serve to protect customers and employees as well as to exercise domiciliary rights;
building and plant security measures (e.g. access controls);
measures to ensure domiciliary rights;
Business management measures

c. Based on your consent (Art. 6 (1) (a) GDPR)

Insofar as you have given us consent to the processing of personal data for certain purposes, the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time.

Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

d. Due to legal requirements (Art. 6 (1) (c) GDPR)

As a bank, we are subject to various legal obligations, i.e. legal requirements (e.g. the Banking Act, the Money Laundering Act, the Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the Federal Financial Supervisory Authority as well as the savings bank supervisory authorities responsible under the respective state laws). The purposes of the processing include, among other things, the fulfilment of control and reporting obligations under tax law as well as the assessment and management of risks.

4. Who gets your data?

Within the bank, access to your data is granted to those entities that need it to fulfil our contractual and legal obligations. Processors used by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories of banking services, IT services, logistics, printing services, telecommunications, debt collection, consulting and consulting.

Outside the Bank, we may only pass on information about you if required by law, if you have consented or if we are authorised to provide information. Under these conditions, recipients of personal data can be, for example:

Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in the event of a legal or regulatory obligation.

Other data recipients may be those entities for which you have given us your consent to the transfer of data or for which you have released us from trade secrets in accordance with the agreement or consent.

5. How long will your data be stored?

If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), can usually be 3 years, but in certain cases up to thirty years.

6. Is data transferred to a third country or to an international organization?

Data will only be transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the purpose of the service relationship, if it is required by law or if you have given us your consent. We will inform you separately about details if required by law.

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

As part of the service relationship, you only have to provide personal data that is necessary for the establishment, performance and termination of the contractual relationship or that we are legally obliged to collect. Without this data, we will usually no longer be able to conclude the contract or an existing contract and may have to terminate it.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

Information about your right to object according to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing based on a balancing of interests).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: datenschutz@nordlb.de

Application procedure

The following data protection information provides an overview of the collection, processing and use of your personal data in connection with your application.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank – Girozentrale –
Data Protection Officer
Friedrichswall 10
30159 Hannover

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

We process personal data that we receive from you as part of your application.

Relevant personal data are personal identification data (name, address and other contact details, date and place of birth and nationality), electronic identification data (e.g. IP address, cookies, memberships (e.g. charitable or charitable organisations, associations, groups), and health data within the scope of permissibility (e.g. disability).

3. What do we process your data for (purpose of processing) and on what legal basis?

The purpose of the data processing is the initiation of an employment relationship in accordance with Art. 6 (1) (b) GDPR.

4. Who gets your data?

Within the bank and the group, those departments that need it to initiate the employment relationship will receive your data. Disclosure to authorities will only take place in the presence of overriding legal provisions.

Since application management is carried out via SAP Success Factors, your data will also be processed and stored by SAP. There is a contract with SAP for order processing in accordance with Art. 28 GDPR.

5. How long will your data be stored?

Your data will be stored for the duration of the application process. After a decision has been made on your application or after the position has been awarded, the data will be stored for 6 months. If you have agreed to be included in our talent pool in accordance with Art. 6 (1) (a) GDPR, your data will be stored for a maximum of two years. You can revoke this consent at any time.

6. Is data transferred to a third country or to an international organization?

Data will not be transferred to third countries (countries outside the European Economic Area -EEA).

7. What data protection rights do you have?

8. Is there an obligation for you to provide data?

As part of the application process, you only have to provide the personal data that is necessary for the establishment, implementation and termination of the contractual relationship or that we are legally obliged to collect.

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling.

SWIFT transfer

In addition to our General Data Protection Notice, the Data Protection Notice in the Brokerage Business and the Terms and Conditions for Credit Transfers, we provide information below about the processing of your personal data in the case of cross-border credit transfers and express transfers within Germany by us and the Society for Worldwide Interbank Financial Telecommunication SC (SWIFT) as part of the SWIFT transaction processing service and the data protection regulations Claims and rights to which they are entitled.

NORD/LB processes your personal data together with SWIFT in the context of international and express transfers via the SWIFT transaction processing service.

1. Who is responsible for data processing and whom can I contact?

The SWIFT transaction processing service enables payment service providers, such as banks, to exchange the personal data necessary for the execution of payment orders. The respective responsibilities are defined in a joint contract pursuant to Art. 26 (1) GDPR between NORD/LB and SWIFT, which is referred to as the "SWIFT Personal Data Protection Policy".

Joint Controllers:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
Data Protection Officer: datenschutz@nordlb.de

Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Address: Avenue Adèle 1, B-1310 La Hulpe, Belgium

Phone: +32 2 655 31 11
Website: www.swift.com
Data Protection Officer: privacy.officer@swift.com

2. What do we process your data for (purpose of processing) and on what legal basis?

We process your personal data to safeguard the following legitimate interests in accordance with Art. 6 (1) (f) GDPR:

Settlement of payment orders within the framework of the SWIFT transaction processing service
Preliminary verification of payment orders, including verification of the existence of the payee's account
Monitoring and management of payment orders
Prevention and investigation of crimes
Risk management within NORD/LB and at the payment service providers connected to SWIFT

3. What sources and data do we use?

We process personal data that we have received from and derived from customers for the secure execution of payment orders for cross-border transfers and express transfers in Germany.

The personal data processed include:

Personal details (e.g. name, address)
Order data (e.g. account numbers of the client and the beneficiary)
Information on the intended use
Transaction identifiers (e.g. transaction reference number)

4. Who gets your data?

As part of the joint responsibility, the following entities have access to your data:

Institutions necessary to perform the SWIFT transaction processing service or to comply with legal obligations.
Service providers in the fields of specialist and IT services as well as telecommunications.

SWIFT processes pseudonymized data for statistical analyses and product development on its own responsibility. This data is used to detect anomalies for fraud prevention and to improve payment efficiency on the SWIFT network. This data is stored for a period of 13 months within the European Union and Switzerland. If you have any questions or requests for information, please contact SWIFT directly.

5. Is data transferred to a third country or to an international organization?

Data will be transferred to entities in countries outside the European Union (so-called third countries) if it is necessary for the execution of your payment orders or if it is legally required. Furthermore, a transfer to entities in third countries is provided for in the following cases, whereby data protection obligations are complied with when transferring data to third countries and additional technical and organizational measures are taken to protect personal data: For reasons of reliability, availability and security, SWIFT stores payment data in its data centers in the European Union, Switzerland and in the case of third-country transactions in the United States. If this is necessary in individual cases, your personal data will be transferred to an IT service provider

in the USA or another third country to ensure IT operations in compliance with the European level of data protection.

6. How long will your data be stored?

We process and store your personal data for as long as it is necessary for the performance of the SWIFT transaction processing service or for compliance with legal and legal obligations.

7. Is there an obligation for you to provide data?

The provision of your data is necessary in order to be able to securely execute your payment orders using the SWIFT transaction processing service.

8. What data protection rights do you have?

9. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

Within the framework of the SWIFT transaction processing service, there is generally no fully automated decision-making including profiling in accordance with Art. 22 GDPR.

10. What should you know about the right to object under Art. 21 GDPR?

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. The objection can be made in any form and should be addressed to:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

If you wish to object to the processing of pseudonymised account statistics by SWIFT for the "Statistical Analysis and Product Development" service, please indicate your account number(s), the name of the account holder(s), the name(s), the BIC of your account-holding bank(s) (Business Identifier Code) and your e-mail address and send your objection to: opt.out@swift.com.

NORD/LB WLAN HotSpot "NLB-Guest"

NORD/LB offers the NORD/LB WLAN HotSpot "NLB-Guest". In doing so, we also process your personal data.

1. What do we process your data for (purpose of processing) and on what legal basis?

Norddeutsche Landesbank (NORD/LB) processes your personal data for the following purposes:

Technical access: IP addresses, MAC addresses and log files are required to give you access to the Wi-Fi guest network.
Location data: This data is derived from the connection to the WLAN and the location of NORD/LB and is necessary to provide the WLAN network at this location.
Connection data: Automatically collected information such as the time of connection, disconnection, roaming data and connection times is required to provide service.
Surfing behaviour: Data about your surfing behaviour is collected in order to apply blacklists and content filters. This is to prevent access to illegal or inappropriate internet services. Providers of guest Wi-Fi are obliged to prevent misuse via their networks. NORD/LB also stores this data in order to be able to provide information in the event of a lawful request from law enforcement authorities.
Use of data: All personal data is collected exclusively for the technical provision of Wi-Fi access and is not used for other purposes.

The legal basis for the processing of your data is your consent to the terms of use of the "NLB-Guest" Wi-Fi hotspot, which corresponds to a contractual agreement in accordance with Art. 6 (1) (b) GDPR.

2. What sources and data do we use?

When you connect to the Wi-Fi hotspot, device-specific identifiers and connection data are collected. This identification data is automatically collected by the central network management system and is necessary to enable the use of the hotspot.

3. Who gets your data?

Your personal data will not be passed on to third parties. The information will only be used in accordance with your consent to provide the Wi-Fi hotspot service.

NORD/LB has commissioned Telekom AG as a service provider and processor. These service providers, operating in the "IT Services and Telecommunications" category, may also have access to your personal data.

4. Is data transferred to a third country or to an international organization?

There is no intention to transfer personal data to third countries or international organisations. The service is provided exclusively in European data centers, and information is not forwarded to third countries.

5. How long will your data be stored?

All personal data is stored in the central management system for a maximum of 60 days and then automatically deleted.

6. Is there an obligation for you to provide data?

The provision of your personal data is neither required by law nor contract and is not necessary for the conclusion of a contract. However, if the Hotspot Service is not provided, it will not be possible to use it.

7. What data protection rights do you have?

8. To what extent is there automated decision-making in individual cases? To what extent is your data used for profiling (scoring)?

There is neither automated decision-making nor profiling in accordance with Art. 22 (1) and (4) GDPR.

VideoIDENT

How we handle your data and your rights

The following data protection information provides an overview of the collection, processing and use of your personal data in connection with VideoIDENT.

1. Who is responsible for data processing and whom can I contact?

The controller is:

Norddeutsche Landesbank - Girozentrale -
Friedrichswall 10
30159 Hanover
Germany

Phone: +49 (0) 511 361-0
Fax: +49 (0) 511 361-2502
E-mail: kundenservice@nordlb.de

You can contact our data protection officer at:

Norddeutsche Landesbank Girozentrale
Data Preotection Officer
Friedrichswall 10
30159 Hanover
Germany

E-mail: datenschutz@nordlb.de

2. What sources and data do we use?

Various data is collected as part of the VideoIDENT procedure:

Identification data: This includes all information needed to verify identity, such as ID details (name, date of birth, address).
Verification data: This data is necessary to prove that the identification has been carried out. This includes, for example, scans of the ID card or recordings of the video identification process. This data will be processed in accordance with the provisions of the law and the legitimate interest.

3. What do we process your data for (purpose of processing) and on what legal basis?

All data collected or obtained during the VideoIDENT procedure will be used by NORD/LB for the purposes of personal identification on behalf of the respective business partner. The responsible person and contact person for questions about the processing of your data is the business partner.

The identification is necessary for the contractual relationship between the user and the business partner, usually due to legal requirements, the legal basis is therefore Art. 6 (1) (b) and (c) GDPR.

4. What data is processed and to what extent?

The scope of the processing and use of the data carried out by NORD/LB in the context of identification depends on the reason for identification, i.e. the intended or already existing contractual relationship between you as a user and the respective business partner involved, as well as the legal requirements for proof of identification (e.g. in accordance with the requirements of the Money Laundering Act, Telecommunications Act, etc.).

When carrying out identification with the VideoIDENT procedure, NORD/LB collects a maximum of the following data from the user (depending on the reason for use):

a. Identity card data

Salutation
Title/Academic Degree
Name
First name (all first names)
Birth name
Place of birth
Date of birth
Nationality
Street and house number
Postal code and city
ID card data (e.g. ID card type, ID card number, place and date of issue, issuing authority, period of validity)
Mobile phone number
E-mail address

As part of your identification, you may be sent a transaction number by e-mail, which can be used to start the identification process at any time. The user's e-mail address is required for this purpose. The mobile phone number is required as a secure second factor in the sense of two-factor authentication for the transmission of a TAN for individual procedures.

b. Verification data

If the business partner requests identification in accordance with certain legal requirements (e.g. Money Laundering Act (AMLA), Telecommunications Act (TKG), eIDAS (electronic IDentification, Authentication and trust Services Regulation, etc.), this includes the transmission of ID data and – depending on the identification procedure – the data of proof of identification (proof data). Depending on the procedure, this can be the following data:

Photo/screenshot of the user
Photo/scan of the identity document
Photo/scan of the driver's license
Recording (audio and video) of the entire identification process
Place and time of identification
Photo/scan of the signature

NORD/LB guarantees that all data collected is processed in accordance with the applicable data protection regulations.

5. Who gets your data?

If the identification is carried out in the context of a specifically desired contract conclusion with a business partner, the data required for the respective proof of identity will be transmitted to the desired business partner after completion of the identification.

Service companies and service providers are involved in the implementation of identification as well as customer service and IT services.

Data processing takes place exclusively on the territory of the European Union (EU) and in the European Economic Area (EEA) in audited data centers.

6. Is data transferred to a third country or to an international organization?

As part of the implementation of the VideoIDENT procedure through video chat, additional

a photo/screenshot of the user (portrait photo)
a photo/screenshot of the identity document and
a complete audio-visual call recording was made.

This recording data as well as the identification data may be used by NORD/LB for the purpose of monitoring the procedure, in particular for quality assurance measures with regard to compliance with the legal requirements of the procedure.

7. Possible processing of biometric data

Furthermore, biometric data can be processed through video chat as part of the implementation of the VideoIDENT procedure in order to better detect fraud attempts such as identity theft. The position data of the face is compared with the identity document.

Your biometric data is not stored. Only results of the processing that do not themselves constitute biometric data and do not allow any conclusions to be drawn about the person to be identified are stored. In addition, there is no further processing, such as for analysis or profiling