Data protection

Cookie consent history

Datum	Version	Einwilligungen

Opt-Out Matomo

Data protection notice

The following information provides you with an overview of how we process your personal data and your rights under data protection law. Which data are processed in detail and how they are used depends largely on the services requested by or agreed with you. Therefore, not all of this information may apply to you.

Who is responsible for data processing and who can I contact?

Hoerner Bank AG
Oststrasse 77
74072 Heilbronn
Germany
Tel.: +49 7131 9322-0
info@hoernerbank.de

is responsible.

You can contact our company data protection officer at:

Hoerner Bank AG
Datenschutzbeauftragter
Oststrasse 77
74072 Heilbronn
Germany
Tel.: +49 7131 9322-0
datenschutzbeauftragter@hoernerbank.de

The contact information can also be found on the Internet on www.hoernerbank.de.

What sources and information do we use?

We process personal data that we receive from you in the course of our business relationship. In addition, we process – insofar as this is necessary for the provision of our services – personal data that are legitimately transmitted to us by other companies within the Hoerner Bank Group or by other third parties [e.g. SCHUFA (the General Credit Protection Agency)], (for example for the completion of mandates, fulfilment of contracts or on the basis of consent granted by you). We also process personal data that we have obtained legitimately, and are permitted to process from publicly accessible sources (e.g. lists of debtors, deed registries, commercial and association registers, press, media, publicly accessible archives).

Relevant personal data are personal particulars (name, address and other contact data, date and place of birth, nationality), proof of identity data (e.g. identity card data) and authentication data (e.g. sample signature). In addition, this may also include mandate details (e.g. payment order, security order), data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions, credit limits), product data (e.g. deposit, loan and portfolio business), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. consultation records), registration data, data concerning your use of the tele media services that we offer (e.g. times at which our website, apps or newsletter were accessed, our pages or entries clicked on) as well as other data comparable with the categories mentioned.

Why do we process your data (purpose for processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

1. To fulfil contractual obligations (Article 6 para. 1 lit. b of the GDPR)
The processing of personal data (Article 4 no. 2 of the GDPR) takes place for the performance and mediation of banking transactions, financial services as well as insurance and real estate business, in particular in order to implement our contracts or pre-contractual measures with you and for the execution of your mandates, as well as all activities necessary within the scope of operating and managing a bank or financial services institute.

The purpose of data processing is primarily based on the actual product (e.g. account, loan, building society savings, securities, deposits, agency services, online banking) and can include needs analysis, consultation, asset management and support as well as the execution of transactions.

Please refer to the specific contractual documents and terms of business for further details regarding the purpose of data processing.

2. In the context of balancing interests (Article 6 para. 1 lit. f of the GDPR)
If need be, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of ourselves or third parties, as for example in the following cases:

consultation of and the exchange of data with credit agencies (e.g. SCHUFA) for determining creditworthiness or credit risk and requirements for an account exempt from attachment or a basic account,
checking and optimizing procedures for needs analysis and direct customer contact,
advertising or market and opinion research, as long as you have not objected to the use of your data,
assertion of legal claims and defense in legal disputes
ensuring the Bank’s IT security and IT operations,
prevention and investigation of criminal offences
video surveillance for the collection of evidence in the event of criminal offences or as proof of disposition and deposits. It thereby serves to protect the customers and employees as well as to safeguard domiciliary rights,
measures for building and system security (e.g. access controls),
measures to secure domiciliary rights,
measures for business management and the further development of services and products.

3. On the basis of your consent (Article 6 para. 1 lit. a of the GDPR)
If you have provided us with your consent to process personal data for certain purposes (e.g. passing on your data within the Hoerner Bank Group, analysis of payment transaction data for marketing purposes), the legality of this processing exists on the basis of your consent. Consent can be revoked at any time. This also applies to the revocation of declarations of consent – such as the SCHUFA clause for example- issued to us prior to the validity of the GDPR, i.e. before May 25, 2018.

Please note that revocation is effective for the future only. Processing that already took place prior to revocation is not affected.

4. On the basis of statutory or legal requirements (Article 6 para. 1 lit. c of the GDPR) or in the public interest (Article 6 para. 1 lit. e of the GDPR)
In addition, as a bank, we are subject to various legal obligations, i.e. statutory requirements (e.g. Credit Services Act, Money Laundering Act, Securities Trading Act, tax laws) and bank regulatory requirements [e.g. of the European Central Bank, the European Banking Supervisory Authority, the German Federal Bank and the (German) Federal Financial Supervisory Authority]. The reasons for processing include, among other things, checking creditworthiness, verification of identity and age, the prevention of fraud and money laundering, the fulfilment of fiscal control and reporting obligations as well as the evaluation and control of risks.

Who receives my data?

Within the bank, those that need your data to fulfil our contractual and legal obligations have access to it. The data processors (Article 28 of the GDPR) used by us may also receive data for these stated purposes. These are companies in the categories of credit services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.

With regard to the passing on of data to recipients outside our bank, it must first be noted that we are obliged to maintain confidentiality about all customer-related facts and assessments of which we gain knowledge in accordance with the general terms and conditions agreed between you and us (banking secrecy). We may only disclose information about you if required to do so by law, if you have given your consent or if we are authorized to disclose details of banking affairs. Under these conditions, recipients of personal data could be, for example:

public offices and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, financial authorities) in the event of a legal or official obligation.
other credit and financial services institutions or similar institutions to which we transmit personal data in order to carry out the business relationship (depending on the contract: e.g. correspondent banks, portfolio banks, stock exchanges, credit agencies).

Other recipients of data may be those bodies for which you have given us your consent to transfer data or for which you have exempted us from banking secrecy in accordance with an agreement or consent.

How long is my data saved for?

We process and store your personal data for the duration of our business relationship, which, for example, also includes development and implementation of a contract. It should be noted here that our business relationship is a continuing obligation that is set up for years.

In addition, we are subject to various retention and documentation obligations arising from the (German) Commercial Code (HGB), Fiscal Code (AO), Credit Services Act (KWG), Money Laundering Act (GwG) and Securities Trading Act (WpHG). The specified periods for retention and documentation range from two to ten years.

Ultimately, the retention period is also determined according to the statutory limitation periods, which for example, according to Sections 195 et seq. of the German Civil Code (BGB), can generally be three years, but in certain cases can also go up to thirty years.

Will data be transferred to a third country or to an international organization?

Data are only transmitted to third countries (countries outside the European Economic Area – EEA) if this is necessary to execute your mandates (e.g. payment and securities transactions), is legally prescribed, or if you have granted us your consent. We will inform you separately about details, as prescribed by law.

What data protection rights do I have?

Any persons affected shall have the right to information under Article 15 of the GDPR, the right to correction under Article 16 GDPR, the right to deletion under Article 17 of the GDPR, the right to limitation of processing under Article 18 of the GDPR and the right to data transfer under Article 20 of the GDPR. The restrictions according to Sections 34 and 35 of the BDSG (Federal Data Protection Act) apply to the right to information and the right to deletion. In addition, there is a right of appeal to the responsible data protection supervisory authority (Article 77 of the GDPR in conjunction with Section 19 of the BDSG).

Further, you have the right to object to the processing of personal data concerning you at any time for any reason arising from your particular situation under Article 6 para. 1 e GDPR (data processing in the public interest) and Article 6 para. 1 lit. f of the GDPR (data processing on the basis of balancing interests). This also applies to profiling on the basis of this provision within the meaning of Article 4 no. 4 of the GDPR, which we use for assessing creditworthiness or for advertising purposes.

If you object, we will no longer process your personal data unless we can provide compelling legitimate reasons for the processing, which outweigh your interests, rights and freedom, or the processing serves to assert, exercise or defend legal claims.

In individual cases we process your personal data in order to create direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling, insofar as this is in connection with such direct advertising.

If you object to the processing of your personal data for the purpose of direct advertising, then your personal data will no longer be processed for this purpose.

Am I obligated to provide data?

Within the framework of our business relationship, you only have to provide those personal data which are required for the establishment, execution and termination of a business relationship or which we are legally obliged to collect. Without these data we will usually have to refuse the conclusion of the contract or the execution of the mandate or we will no longer be able to execute an existing contract and may possibly have to terminate it.

In particular, as per the regulations of the money laundering law, we are obliged to identify you before establishing the business relationship, for example on the basis of your identity card and to collect your name, place and date of birth, nationality and address. In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising over the course of the business relationship. If you do not provide us with the necessary information and documents, we are not permitted to enter into the business relationship requested by you.

Is my data used for automated decision making in individual cases?

We generally do not use fully automated decision making according to Article 22 of the GDPR for the establishment and implementation of the business relationship. If we use this procedure in individual cases, we will inform you about this and about your rights in this regard separately, insofar as this is prescribed by law.

To what extent is my data used for profiling (scoring)?

We process some of your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

On the basis of legal and regulatory requirements, we are obligated to combat money laundering, the financing of terrorism and asset-endangering crimes. In this regard, assessment of data (in payment transactions, amongst other things) is also effected. These measures also serve to protect you.
We use assessment tools in order to be able to provide you with targeted information and advice about products. These facilitate communication and advertising that is tailored to needs, including market and opinion research.
We use scoring within the scope of assessing your creditworthiness. This calculates the probability that a customer will fulfil their payment obligations according to contract. The calculation includes income level, outgoings, existing liabilities, profession, employer, length of employment, experience from the business relationship to date, repayment of previous loans according to contract as well as information from credit agencies. Scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values support us in decision-making within the scope of product contracts and are included in the current risk management.

Social media and analysis tools

Facebook Pixel
This website uses the Facebook visitor action pixel for conversion measurement. This service is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transmitted to the USA and other third countries.

Visitor’s activity can be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and allows optimization of future advertising measures.

For us, the operator of this website, the data collected is anonymous and we are not able to draw any conclusions regarding the identity of the users. However, the data is stored and processed by Facebook and so a connection to the respective user profile is possible. Facebook is able to use the data for its own advertising purposes, in accordance with Facebook data usage policy. Facebook can thereby enable the placement of advertisements both on Facebook pages and beyond Facebook. As the website operator we are not able to influence this usage of the data.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a General Data Protection Regulation (GDPR) [DSGVO] and Section 25 para. 1 German Telecommunications-Telemedia Data Protection Act [TTDSG]. Consent can be revoked at any time.

Transmission of data to the USA is based on the EU Commission’s standard contractual clauses. For details go to https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Where personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for data processing (Art. 26 GDPR). This joint responsibility is limited exclusively to collection of the data and forwarding thereof to Facebook. Subsequent processing by Facebook after data has been forwarded does not fall under this joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The text of the agreement is available at https://www.facebook.com/legal/controller_addendum.

According to this agreement, we are responsible for providing data protection information and for secure implementation in accordance with data protection law when utilizing the Facebook tool on our website. Facebook is responsible for the data security of Facebook products. You can assert rights as a data subject (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your subject access rights with us, we are obliged to forward them to Facebook.

You can find further information on data protection under Facebook’s privacy policy: https://de-de.facebook.com/about/privacy/.

In addition, you can also deactivate the “Custom Audiences” remarketing function in the ad settings section at

https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You must be logged in to Facebook to do this.

If you do not have a Facebook account, you can disable Facebook’s usage-based advertising on the European Interactive Digital Advertising Alliance website http://www.youronlinechoices.com/de/praferenzmanagement/.

LinkedIn Insight Tag
This website uses the Insight tag from LinkedIn. This service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Data processing by LinkedIn Insight tag
We use the LinkedIn Insight tag to obtain information about visitors to our website. This enables us to analyze the key occupational data (e.g. career level, company size, country, location, industry, job title) of website visitors who are registered with LinkedIn and thereby improve how we target our website to the relevant audience. We can also use LinkedIn Insight tags to track whether visitors to our websites make a purchase or perform other actions. Conversion measurement can also be carried out across multiple devices (e.g. from PC to tablet). LinkedIn Insight Tag also has a retargeting function that allows us to personalize advertising to visitors beyond our website. According to LinkedIn, there is no identification of the person targeted by the advertising.

LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser details and the time of access). The IP addresses are shortened or – if they are used to reach LinkedIn members across multiple devices – hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The pseudonymized data that remain are deleted within 180 days. As the website operator, we are not able to assign the data collected by LinkedIn to specific individuals. LinkedIn shall store the personal data collected from website visitors on its servers in the USA and use it for its own promotional activities. For details, please see LinkedIn’s data protection policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

Legal basis
If your consent has been obtained, the above service is used exclusively on the basis of Art. 6 para 1 lit. a GDPR and Section 25 German Telecommunications-Telemedia Data Protection Act [TTDSG]. Consent may be revoked at any time. Where no consent was obtained, the service is used on the basis of Art. 6 para 1 lit. f GDPR; the website operator has a legitimate interest in effective advertising promotions that include utilizing social media.

Transmission of data to the USA is based on the EU Commission’s standard contractual clauses. For details go to https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

Objection to the use of LinkedIn Insight Tag
You can object to LinkedIn’s analysis of user activity and targeted advertising via the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

In addition, LinkedIn members are able to manage how their personal information is used for promotional purposes in their account settings. To prevent LinkedIn from connecting information collected on our website to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

Google Tag Manager
We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies or perform any independent analyses. It is used only to manage and run the tools integrated through it. Google Tag Manager does however collect your IP address, which may also be transmitted to Google’s parent company in the United States.

The use of Google Tag Manager is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in quick and uncomplicated integration and management of various tools on its website. If corresponding consent has been obtained, data processing is exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 German Telecommunications-Telemedia Data Protection Act [TTDSG], insofar as this consent includes storing cookies or accessing information on the user’s device (e.g. device fingerprinting) as defined in TTDSG. Consent may be revoked at any time.

Information regarding your right to object according to Article 21 GDPR

Right of objection on a case-by-case basis

You have the right to object to the processing of personal data concerning you at any time for any reason arising from your particular situation under Article 6 paragraph 1 e of the GDPR (data processing in the public interest) and Article 6 para. 1 lit. f of the GDPR (data processing on the basis of balancing interests); including profiling within the meaning of Article 4 no. 4 of the GDPR.

Right of objection with data processing for the purpose of direct advertising

If you object to the processing of your personal data for the purpose of direct advertising, then your personal data will no longer be processed for this purpose.

Recipient of an objection

The objection can be made in any form with the subject line “Objection” stating your name, your address and your date of birth and should be addressed to:

Hoerner Bank AG
Oststrasse 77, 74072 Heilbronn, Germany
Tel.: +49 7131 9322-0
info@hoernerbank.de

Legal notice

By judgement of May 12, 1998, Hamburg Regional Court decided that, if applicable, owners of websites shall also be held responsible for the links to third-party websites that are included on their websites. This, according to the Regional Court, can only be prevented if the owners of the website expressly dissociate themselves from the content of these links. On our website, we have included links to third-party websites. The following applies to all links on this website: We would like to expressly state that we have no influence on the design and content of the pages linked. We herewith expressly dissociate ourselves from all content of all links to third-party websites that are incldued on our entire website, including all sub-sites. This declaration also applies to all external links on our website as well as to links and buttons leading to third-party websites and the content thereof.

The provider makes every reasonable effort to provide correct, up-to-date and complete information via its website. Except in cases of intent and gross negligence or other cases in which a limitation of liability is excluded by law, the provider does not guarantee the completeness, accuracy and up-to-dateness of the information available on the website nor the suitability of the information for the purposes of the user.

The provider does not guarantee the uninterrupted and constant availability of the website nor the absence of malicious files (viruses, Trojans, etc.).