Privacy Policy

We, HSH Nordbank AG (in the following: "we" or "us") appreciate your interest in our company and our products. In this Privacy Policy, we want to inform you about the processing of your personal data (in the following also only "data") when you visit our website https://www.hsh-nordbank.de and use our services. We further provide information about your rights. Data privacy is very important to us, and we comply with the applicable data protection regulations, in particular, the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as a matter of course.

Our website and our services are not intended for children or adolescents under the age of 16.

If you do not understand terms that we use in this Privacy Policy, our explanations provided under the heading " Help in understanding data protection terms " might help. If you have any questions about data privacy, you can also contact us (informally) by using the contact details provided below.

The controller for the data processing is:

HSH Nordbank AG
Gerhart-Hauptmann-Platz 50
20095 Hamburg, Germany and
Martensdamm 6, 24103 Kiel, Germany
E-Mail: info@hsh-nordbank.com
Telephone: Hamburg +49 40 3333 0 / Kiel +49 431 900 01


You can contact our data protection officer at:

HSH Nordbank AG
Data Protection Officer
Martensdamm 6
24103 Kiel
Germany
E-Mail: datenschutz@hsh-nordbank.com


I. Data processing during your visit to our website

We collect and process your personal data in the context of your visit to our website. This is done for the purposes and to the extent described below. In doing this, we disclose your data to third parties only as described below.


1. To make our website and services available

In order to be able to make our website and the services rendered via the website available to you, we collect and process the following data relating to you automatically when you visit our website:

  • date and time of your access
  • your IP address
  • the address of the website via which you accessed our website
  • the websites that you switch to while you are on our website
  • information about your internet browser (browser type and version)
  • the operating system of the device by way of which you access our website and ser-vices
  • your internet service provider

The legal basis for the processing of your data in order to make our website and services available to you is Article 6(1) sentence 1 (f) GDPR. We have a legitimate interest in processing your data so that we can offer our website and the services rendered via our website without technical problems, securely and tailored to your needs. The data of the server log files are stored separately from other data.

We store this information, but without your IP address, in log files for security reasons and erase it after 15 days. The data in the log files are stored separately from other data about you.

The data are stored for a longer period only if necessary in the individual case (e.g. in the event of a concrete suspicion of misuse or fraud). In such cases, the respective log files are stored until the matter has been investigated and any subsequent necessary measures have been completed.

To be able to make our website and the services rendered via the website (including those specified below) available, we use service providers that process your data specified in this Privacy Policy only on our account and in accordance with our instructions (processors as defined in Article 28 GDPR) and which have implemented the appropriate technical and organisational measures to protect your rights. That especially includes Diebold Nixdorf Global IT Operations GmbH, Wendenstraße 21, 20097 Hamburg, the hosting provider for our website and related services.


2. Use of cookies

When you visit our website, we also collect and use your data so that you can use our website and services more conveniently. In this context, we also use a session cookie. Cookies are small text files that are saved on your device via your internet browser. Details regarding the definition of cookies and how they function and regarding other data protection and technical terms are available under " Help in understanding data protection terms ".

The legal basis for the use of the session cookie in the context of our website and services is Article 6(1) sentence 1 (f) GDPR. We have a legitimate interest in using the cookie so that we can offer our website and the services rendered via our website with the optimal technology.

The session cookie is erased when you leave our website.

Moreover, you can generally deactivate the use of cookies in your browser settings. Without the use of cookies, however, some functions of this website may not work at all or may not work as conveniently for you as usual.

3. Contacting us (particularly when a form is used)

You can contact us in different ways. These include contacting us by way of the forms on our website or by email. The data processing that takes place in the context of contacting us can serve different purposes, depending on the content of your communication. As a rule, we store and process the data given to us so that we can process the matter that you contacted us about.

The legal basis for the processing of your data when you contact us is your consent (Article 6(1) sentence 1 (a) GDPR).

This does not apply only when your contact with us is directly for the purpose of performing a contractual relationship already existing between us. In these cases, we base the processing of your data on Article 6(1) sentence 1 (b) GDPR.

Your data stored in the context of your contact with us are erased as soon as they are no longer necessary and as long as they are not subject to any statutory retention duties. We check whether it is necessary to continue to store data at least once a year. Deviating from this, data regarding contractual relationships are stored for at least six years or, if they have tax relevance, for at least ten years.


4. Use of our newsletter

On our website, you can subscribe to a free newsletter containing promotional information if you have explicitly consented to receiving it. To avoid misuse, you will first receive an email with a confirmation link that you must activate in order to receive the actual newsletter (double opt-in procedure).

When you register for the newsletter, your email address, your IP address and the date and time of your registration will be transmitted to us and stored and processed by us. Your data will be used only as proof of your consent to the content and transmission of the newsletter. No data will be disclosed to third parties.

The legal basis for the processing of your data in the context of the transmission of our newsletter is your consent (Article 6(1) sentence 1 (a) GDPR).

Your data will be stored as long as we regularly send you the newsletter. If we should no longer send you the newsletter (in particular, if you withdraw your consent), we will erase your data 12 months after sending you the last newsletter at the latest.

Please note that you can withdraw your consent at any time and can unsubscribe the newsletter by sending us an email to investor-relations@hsh-nordbank.com or by clicking on the link to unsubscribe in each newsletter.

We use the services of mailing service providers that assist us in the mailing of our newsletter and process your data only on our account and in accordance with our instructions (processors as defined in Article 28 GDPR). These service providers have implemented appropriate technical and organisational measures for the protection of your data. These are currently:

  • Newsletter2Go GmbH, Nürnberger Straße 8, 10787 Berlin (Germany).
  • Eventbutler GmbH, Lerchenfelder Str. 74, 1080 Wien (Austria)


5. Internet-Banking

You can carry out your banking transactions via several transaction services, for example our online branch (Internet banking).

We use the data processed in the context of internet-banking (in particular access and authentication data such as user-ID, PINs, TANs, your entries in the internet-banking as well as payment transaction data such as booking records, payment recipients, account data, purposes, transfer and credit card information) exclusively for the purposes of providing internet-banking and carrying out payment transactions.

Due to legal requirements (in particular from the Money Laundering Act (GWG), the Banking Act (KWG) and the Payment Services Supervision Act (ZAG)), we may be obliged to transfer your payment transaction data to public institutions.

In addition, the data is transferred to our payment service providers as part of the technical provision of internet-banking and the processing of payment transactions. They process your data exclusively on our behalf and in accordance with our instructions (so-called data processors in accordance with Article 28 GDPR) and have taken appropriate technical and organisational measures to protect your data.

In the case of international transfers and separately ordered express transfers, the data contained in the transfer are forwarded to the recipient's credit institution via international payment service providers (in particular SWIFT located in Belgium and TARGET2).

The legal basis for the processing of payment transactions is the execution of our contract with you, Article 6(1) sentence 1 (b) GDPR. The legal basis for the legally required transfer of data to third parties and their storage beyond our contractual relationship is Article 6(1) sentence 1 (c) GDPR.

We store your data processed in the context of online banking for as long as it is necessary for the technical provision and execution of the contract. In addition, we process your data for as long as we are obliged to do so under statutory and supervisory requirements, in particular under tax and fiscal law.


6. Fondsinformationsportal und Handelsportal

The fund information and trading portal (Fondsinformationsportal und Handelsportal) is linked via our website at https://www.hsh-nordbank-geschlossenefonds.de/ and is not operated by us. Please read the privacy policy shown there.


II. Data processing in the context of our online presence on XING and LinkedIn

In addition to our website we are also represented on online platforms and in social networks. If our communication with you takes place on these platforms and in these networks, their terms and data privacy policies will apply to our communication. You can find these terms and policies on the website of the relevant provider.

If you communicate with us via such platforms or networks, we process the data in your messages and posts, depending on their content and purposes of the communication, on the basis of either Article 6(1) sentence 1 (b) GDPR or Article 1 sentence 1 (f) GDPR. We use your data in order to be able to communicate with you.

If the respective platform or network allows this, your data will be erased as soon as they are no longer necessary for the respective purpose.


III. Routine erasure and blocking of data

In principle, we store your data only for the time period required for the achievement of the purpose of the storage or prescribed by the European lawmakers or other lawmakers in laws or regulations to which we are subject. In Germany, in particular, a duty to store for six years applies under § 257 (1) German Commercial Code (Handelsgesetzbuch) (particularly to trading books, inventories, opening balance sheets, annual financial statements, commercial correspondence, internal invoices) and for ten years under § 147 (1) German Tax Code (Abgabenordnung) (particularly to accounts, records, management reports, internal invoices, commercial and business correspondence, documents relevant for taxation). If the purpose for storage no longer applies or if a storage period prescribed by statutory provisions expires, your personal data is routinely blocked or erased in compliance with the statutory provisions. Please take note of the specific statements regarding individual storage and erasure periods in this Privacy Policy as well.


IV. Your rights

As data subject (Article 4(1) GDPR), you have numerous rights about which we would like to inform you in the following. Details can also be found in Articles 15 to 21 GDPR and §§ 32 to 37 German Federal Data Protection Act (in the version applicable as of 25 May 2018).

To exercise your rights, please contact our data protection officer designated above (no specific form required).


1. Right of access

You have the right to obtain from us information as to whether or not personal data concerning you are being processed and if so, what data are being processed. This includes information as to how long and for what purpose we process the data, the source of the data and to what recipients or categories of recipients we disclose the data. You can also obtain copies of these data from us.


2. Right to rectification

You have the right to obtain from us the rectification of data concerning you that are or are no longer correct without delay. Moreover, you can demand that your incomplete personal data to be completed. If this is required by law, we will also inform third parties about this rectification if we have disclosed your data to them.


3. Right to erasure ("right to be forgotten")

You have the right to obtain from us the erasure of your personal data without delay when one of the following reasons applies:

  • your data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or the purpose has been achieved;
  • you withdraw your consent and there is no other legal basis for the processing;
  • you object to the processing and there are no overriding legitimate grounds for the processing; where personal data are used for direct marketing purposes, it suffices if you simply object to the processing;
  • your personal data have been unlawfully processed;
  • your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.

Please note that your right to erasure can be restricted by statutory regulations. These include in particular the restrictions listed under Article 17 GDPR and § 35 German Federal Data Protection Act (in the version applicable as of 25 May 2018).


4. Right to restriction of processing

You have the right to obtain from us the restriction of the processing of your personal data where one of the following applies:

  • you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we no longer need your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
  • you have objected to the processing pending the verification whether our legitimate grounds override yours.

If you have obtained a restriction of processing according to the list above, we will inform you before the restriction of processing is lifted.


5. Right to withdraw consent

You may withdraw your consents given to us at any time with effect for the future. This withdrawal may take the form of an informal notification to the contact address mentioned above. This also applies to the consents given to us before the applicability of the GDPR (i.e. before 25 May 2018). If you withdraw your consent, this does not affect the validity of the data processing carried out until then. In general, the consequence of a withdrawal of consent is that you will no longer be able to use the services with regard to which we requested your consent or to use them to the full extent.


6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit these data to others. For details and exceptions, please see Article 20 GDPR. Exercising this right does not affect your right to erasure.


7. Right to lodge a complaint with the supervisory authority

If you are of the opinion that the processing of your personal data violates applicable data protection law, you may lodge a complaint with a competent supervisory authority, particularly with the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit) and the Independent Centre for Privacy Protection Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein) or the respective supervisory authority in the Member State of your habitual residence, place of work or place of the alleged violation.


8. Right to object pursuant to Article 21 GDPR

According to Article 21 GDPR, you may object, on grounds relating to your particular situation, at any time to the processing of your personal data if we base this processing on legitimate interests in accordance with Article 6(1) sentence 1 (f) GDPR. If you object, we will no longer process your personal data, unless:

  • we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
  • the processing serves the establishment, exercise or defence of legal claims.

In particular, if we process your personal data for direct marketing purposes, you may object at any time to the processing of your personal data for such marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

V. Help in understanding data protection terms

In this Privacy Policy, we use some terms that are also used by the lawmakers, particularly in the European General Data Protection Regulation (GDPR). Since it is of great importance to us that you understand this Privacy Policy, we will explain some important terms to you below in alphabetical order:

Browser: This is any program used to display websites online, such as the programs Mozilla Firefox or Google Chrome.

Consent: This is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller: This means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Cookies: Cookies are small text files that include a characteristic character sequence (cookie ID) and are filed and stored on your device (e.g. smart phone or computer) via an internet browser if you do not prevent this by adjusting your technical settings. Cookies make it possible for websites and servers to distinguish your individual browser from other internet browsers. A specific internet browser can therefore be recognised and identified by the distinct cookie ID. It is therefore possible to facilitate the use of our website because, for example, you have to enter certain data only once. If possible, we use cookies that are deleted again once you close your browser (session cookies). In addition to the option of configuring your browser not to accept any cookies, you also have the option of deleting already placed cookies at any time via an internet browser or other programs. Please note, however, that the non-use of cookies may result in a situation in which not all functions of our website or services can be used to the full extent.

Data subject: This is any identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

IP address: This is an address linked to your device (e.g. smart phone or computer) ensuring that your device can be addressed and reached on the internet.

Personal data: This is any information relating to an identified or identifiable natural person (also called "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: This means any operation or set of operations performed on personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: This is a natural or legal person, public authority, agency or other body who/which processes personal data on behalf of a controller.

Recipient: This is a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not.

Restriction of processing: This is the marking of stored personal data with the aim of limiting their processing in the future (e.g. with regard to certain processing purposes).

Third party: This means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.


VI. Security

We apply technical and organisational security measures so as to protect your personal data against misuse, loss, destruction or from access by unauthorised persons. Our security measures correspond to current state-of-the-art technology.


VII. Validity of and amendments to the Privacy Policy

This Privacy Policy is valid at present and dates from 24.05.2018.

Owing to the development of our website or the implementation of new technology, it may become necessary to amend this Privacy Policy. We reserve the right to make such amendments at any time.


VIII. Your questions regarding data protection

Should you have any questions regarding this Privacy Policy or your rights, please do not hesitate to contact the data protection officer designated above.