kfw arrows Data Protection

KfW Capital GmbH & Co. KG Privacy Notice

You can rely on the protection and security of your personal data: we consider it our responsibility to protect your privacy when processing your personal data. The following data privacy information provides an overview of how your data is processed and what your rights are under data privacy regulations when using the products and services of KfW Capital GmbH & Co. KG.

1. Who is responsible for data processing and whom can I contact?

The following party is responsible:

KfW Capital GmbH & Co. KG ,
as represented by KfW Capital Verwaltungs GmbH (hereinafter: “we”, “us” or “KfW Capital”)
Bockenheimer Landstrasse 98 – 100
60323 Frankfurt
Phone: +49 69 7431 8880
Fax: +49 69 7431 88 81

You can reach our company data protection manager at:

Bockenheimer Landstrasse 98 – 100
60323 Frankfurt

E-mail: Datenschutz-kfw-capital@kfw.de

2. Which sources and data does KfW Capital use?

We process personal data which we receive from our customers, business partners and website visitors in connection with the use of our website and in connection with our business relationships with these groups.

Personal data processed by us refers in particular to personal details (such as name, address, telecommunications data, date and place of birth, marital status), identification data (such as ID, reporting data), contractual data, advertising and sales data, documentation data, registration data and similar information.

3. For what purpose does KfW Capital process your data and what is the legal basis?

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable legal regulations.

For technical reasons we need to collect and temporarily store data when our website is used (domain, IP address, queries, user agent, timestamp, status code). The legal basis for processing your personal data in this context is Article 6(1)(1)(f) of the GDPR.

3.1. General communications and use of the newsletter function – for the purpose of performing contractual obligations and on the basis of your consent:

  • General communication
  • Processing enquiries about funding
  • Processing other enquiries
  • Invitations
  • Other advertising purposes

The processing of your personal data in this context is generally a prerequisite for concluding and performing a contract with you or entering into a preliminary agreement with you. You are not legally obligated to make your personal data available to us. Without these data, however, we will not be able to perform the relevant contract with you. The legal basis for this processing is Article 6(1)(1)(b) of the GDPR. This provision permits the processing of personal data if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps prior to entering into a contract.

If you have given us your consent to process personal data for specific purposes, this consent serves as the legal basis for processing the data (Article 6(1)(1)(a) of the GDPR). Consent which has been granted may be revoked at any time. If consent is revoked, the legality of data processing carried out before consent was revoked is not affected.

3.2 Risk management and compliance — for the purpose of safeguarding legitimate interests:

– Assertion of legal claims and defence in legal disputes
– Prevention and investigation of criminal activities
– Assurance of IT security and IT operations
– Risk management at KfW Capital and KfW Group

The legal basis for processing your personal data in this context is Article 6(1)(1)(f)  of the GDPR. Our legitimate interest consists in complying with applicable legal provisions, maintaining the security of our IT systems and, in case of non-compliance with legal requirements or violations of security regulations, responding adequately to such circumstances, for instance by establishing legal claims. We believe that these interests prevail since, as a finance company and through KfW Group’s risk management plan, we are subject to a significant number of regulatory requirements and have a responsibility towards our customers to ensure that the corresponding requirements and security regulations are complied with. We protect the relevant data in such a way that we do not see any overriding disadvantages for you.

3.3 Social media

You can access our social media channels (LinkedIn, Xing and Twitter) from our website.
Caution: When choosing one of the following links, you will leave our website and be directed to the website of a social media platform. Any information available there that was not posted by KfW Capital was created without any help from us and we are therefore not responsible for this content. We do not accept any liability for the information being up-to-date, accurate or complete. Reference to social media does not imply any approval on our part.

Particularly for reasons of data protection compliance, the relevant social media cannot be directly accessed. Corresponding notices will therefore be displayed. In addition, you may first have to click on integrated buttons, thus giving your express consent to the communication with the social media platform. Only after that, the browser will connect you by establishing a direct connection with the social media platform’s servers.

Please keep in mind that we are not aware of nor do we influence how and what data find their way to the social media platform.

By activating the button, you will provide the social media platform with the information that you have opened one of the web pages of the platform on the Internet. If you are already registered with the social media platform, it will be able to link your visit with your account on the social media platform. But even if you have not yet registered with the social media platform, it is not possible to preclude the possibility that it will collect and/or store your IP address after clicking on the platform.

3.4 Cookies

KfW Capital uses cookies to ensure that its website functions correctly, e.g. for navigation and to display all elements of the page. Without the technical cookies, you will be unable to visit our website. Cookies are used solely to meet the technical requirements of accessing and using the website. We do not set cookies for other purposes (for example, to analyse user behaviour). Cookies are small text files that are linked with the browser you are using and are stored on your hard drive, sending certain information to the person who set them. You can set your web browser to inform you when cookies are being transmitted or to reject cookies. You can find more information on this in the “help” section of the browser that you use to access the internet (e.g. Microsoft Internet Explorer or Firefox).

The data are not used in any way to personally identify a visitor (if this were even technically possible) nor are they linked to the data about the bearer of a pseudonym.

3.5 Google Maps

If you decide to use services of the provider Google Maps API by clicking on a relevant service, the data are processed by Google Maps on the basis of the information transmitted by Google Maps API, for the correctness and completeness of which KfW Capital does not assume any liability, according to the following conditions:

This website uses Google Maps API, a map service of Google Inc., in order to present interactive maps and to generate routing maps. Google Maps is operated and provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).  The provision of an interactive map is in the legitimate interest of Google and of us. Art. 6 (1)(1)(f) of the GDPR represents the legal basis for the data processing.

By using Google Maps, information about your usage of this website (including your IP address) may be transferred to a Google server in the USA and stored there. Google may transfer information that has been obtained through Maps to third parties, if this is required by law or insofar as third parties process these data on behalf of Google. Appropriate guarantees for the transfer from a third country to Google are available in the form of Google’s Privacy Shield certification (available to view here).

Google will never merge your IP address with other data from Google. Nevertheless it would be technically possible for Google to identify individual users on the basis of the data received. It would be possible for Google to process personal data and personality profiles of website users for other purposes that we do not and cannot influence. You have the option to deactivate the Google Maps service and thus prevent the transfer of data to Google by deactivating JavaScript in your browser. However, please note that you will be unable to use the map display on our pages if you do so.

The Google privacy policy & additional terms of service for Google Maps can be found at https://policies.google.com/privacy?hl=en and https://www.google.com/intl/en_en/help/terms_maps/

4. Who will have access to my data?

Within KfW Capital, the departments that need your data to fulfil our contractual and legal obligations receive access to your data. Service providers and agents employed by us (for instance assisting KfW for regulatory and functional purposes, in addition to consultants and service providers such as lawyers and tax consultants) may also receive data for these purposes, provided that they comply with data protection obligations. We may only disclose information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide such information for other reasons. Under these conditions, recipients of personal data could include:

  • Public bodies and institutions (for instance, KfW and other KfW Group companies, the Deutsche Bundesbank, the Federal Financial Supervisory Authority, the Federal Court of Auditors, courts of auditors in the German states, the Federal Parliament including its committees, European Banking Authority, the European Central Bank (ECB), the European Investment Fund (EIF), the European Investment Bank, the European Commission, German federal and state ministries, financial authorities and official bodies) in the event of a legal or official obligation;
  • Other credit and financial services institutions or similar institutions (e.g. national promotional institutions) to which we transfer personal data for the purpose of managing our business relationship with you — including, if necessary, as part of a preliminary agreement process (e.g. commercial banks, credit agencies depending on the contract);
  • Service providers which process data on our behalf (e.g. data centres, tax consultants);
  • Experts, to the extent that they are necessary for the business process.
  • Other entities or service providers, as far as explicitly indicated this in these data protection guidelines or other privacy notices of KfW Capital.

Other data recipients may be bodies for which you have given us your consent to transfer data.
If you need further information on individual recipients, please do not hesitate to contact us.

5. Will any data be transferred to a third country or to an international organisation?

Data is not transferred to entities in countries outside of the European Union (known as third countries), except in the cases indicated in these data protection guidelines or other privacy notices of KfW Capital.
If data is transferred in a third country, appropriate safeguards are applied to ensure an adequate data protection level (Art. 46ff. of the GDPR).

6. How long will my data be stored?

How long personal data are stored is based on the respective processing purposes. It is not possible to list the various storage periods in a reasonable format here. The criteria to determine the specific individual storage periods are the following:

  • If we only process data for the purpose of executing a contractual relationship, we store the data for the duration of the contractual relationship.
  • Where we process data in connection with anticipated legal disputes, we will store the data until the court proceedings have definitively been completed or until the claims at issue have become time-barred in accordance with the applicable civil law provisions. The general limitation period is three years.
  • In addition, we are subject to various storage and documentation requirements arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The periods for retention and documentation stipulated in these laws range from two to ten years.

7. What are my data privacy rights?

  • If the statutory prerequisites are met, you have the following rights in accordance with Articles 15 to 22 of the GDPR:Right of access in accordance with Article 15 of the GDPR, i.e. the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to this personal data and other information;
  • Right to rectification in accordance with Article 16 of the GDPR if personal data concerning you is not correct;
  • Right to erasure in accordance with Article 17 of the GDPR, e.g. when the personal data are no longer necessary in relation to the purposes for which they were processed;
  • Right to restriction of processing in accordance with Article 18 of the GDPR. With respect to the right of access and the right to erasure, the restrictions pursuant to Sections 34 and 35 of the German Federal Data Protection Act apply. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR).
  • Right to data portability in accordance with Art. 20 of the GDPR, i.e. the right to receive your personal data from us in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, while this right according to Art. 20(3) sentence 2 of the GDPR does not apply, if the data are processed for the performance of public tasks.

    Right to revoke your consent

    You are free to revoke consent that you have granted to process data at any time. This does not, however, affect the legality of processing carried out before consent was revoked. If you revoke your consent or effectively object to further processing on the basis of your consent, we will no longer process the data for these purposes.

    Information about your rights to object
    Right to object in individual cases according to Article 21 of the GDPR

    You have the right to object at any time to the processing of your personal data, which is based on the performance of tasks in the public interest or on a balancing of interests (Article 6(1)(1) (e) and (f) of the GDPR). insofar as reasons arise from your particular circumstances which preclude such data processing. This also applies if automated individual decision-making is used (Article 22 of the GDPR).

    If you raise an objection we will no longer process your personal data for these purposes unless we are able to provide evidence of compelling reasons for the processing which are worthy of protection and which override your interests, rights and freedoms, or unless the processing serves the purpose of establishing, exercising or defending legal claims.
    In individual cases we process your personal data in order to inform you about similar products or to make contact with you for our own business purposes. You have the right to raise an objection to the processing of your personal data at any time. If you object to data processing for the purpose of direct publicity or of contacting you, we will no longer process your personal data for such purposes.

    Please send your objection to one of the following addresses:

    Postal delivery:
    KfW Capital GmbH & Co. KG
    Bockenheimer Landstraße 98 – 100
    60323 Frankfurt

    E-Mail: info-kfw-capital@kfw.de

    Right to object under Telemedia Act Section 15

    Pursuant to Section 15 of the German Telemedia Act (Telemediengesetz; TMG), website visitors may object to the storage of their visitor data collected in anonymised form, so that such data will no longer be collected in the future.

    (status: Oct 2020)