With the following information, SAMDE provides customers with an overview of the processing of the customers' personal data by SAMDE and the customers' rights under data protection law. Which data is processed in detail and how it is used depends mainly on the services requested or agreed upon in each case. Customers are also requested to disclose information to current and future authorized representatives and beneficial owners. This includes, for example, beneficiaries in the event of death or authorized signatories.
1. Responsibility for data processing
Responsible entity is:
Serafin Asset Management GmbH, Börsenstraße 13-15, 60313 Frankfurt, email@example.com
SAMDE has the status of a securities service provider authorized and licensed by the German Federal Financial Supervisory Authority (BaFin) and is subject to the associated auditing and quality requirements. You can reach the company data protection officer at:
Dr. Volker Wodianka of Wodianka privacy legal GmbH
Dockenhudener Str. 12a
T +49 (0)40 2110786-0
2. Processing of personal data
SAMDE processes personal data that it receives from its customers in the course of the business relationship. This is the case when customers get in touch with SAMDE, e.g. as an interested party, applicant or customer and in particular when customers are interested in SAMDE's products and fill out online contract forms, register for online services or contact SAMDE by e-mail, by phone or by application, as well as when they use the products and services as part of an active business relationship. In all these cases, SAMDE collects, stores, uses, transmits or deletes personal data. In addition, SAMDE processes - to the extent necessary for the provision of the service - personal data which SAMDE has received from other companies or from other third parties (other service providers of SAMDE) in a permissible manner (e.g. for the execution of orders, for the fulfillment of contracts or based on consent given by the customers). On the other hand, SAMDE processes personal data that it has permissibly obtained from publicly accessible sources (e.g. land registers, commercial and association registers, Federal Gazette, press, media, Internet) and was allowed to process. In certain cases, SAMDE collects personal data from potential customers and interested parties.
To the extent necessary, SAMDE also collects personal data from persons who have no direct connection with it and who, for example, belong to one of the following categories of persons:
- Family members
- Legal representatives (authorized representatives)
- Beneficiaries of the customers
- Beneficial owners of the customers
- Representative of legal entities
- Employees of service providers or trading partners
Personal data may be collected, processed and stored when products/services are concluded and used.
SAMDE processes the following personal data:
- Identity information: (e.g. first and last name, ID card or passport number, nationality, place and date of birth, gender, photograph, IP address).
- Contact information: (address, e-mail address and phone number)
- Tax information: (tax identification number, tax status)
- Banking, financial, and transaction data: (e.g. bank details (IBAN), money transfers to customer's account/deposit, assets, investor profile communicated).
- Habits and preferences data: (IP addresses, data on the use of SAMDE's products and services in terms of banking, financial, and transactional data, data on interaction between the customer and SAMDE (visits to SAMDE's website, face-to-face meetings, phone calls, chat histories, email traffic, surveys).
- Securities business: information on knowledge and/or experience with financial instruments, risk tolerance of the customer (MiFID status), information on education and occupation (e.g. level of education, occupation, name of employer, earnings), ﬁnancial situation including ability to bear losses (assets, liabilities, income, e.g. from un/self-employed work/commercial business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children's education), concrete goals/significant concerns in the future (e.g., planned purchases, redemption of liabilities), marital status and family situation, information on the customer's sustainability preferences (environmental, social, and corporate governance factors) in connection with his or her investments, tax information (e.g., information on church tax pﬂicht), documentary data (e.g., suitability declarations)
- Interest rate, currency and liquidity management: information on knowledge and/or experience with interest rate/currency products/money investments (MiFID status), investment behavior/strategy (scope, Häuﬁgkeit, risk tolerance), occupation, ﬁnancial situation (assets, liabilities, income, e.g. from un/self-employed work/commercial business; expenses), foreseeable changes in financial circumstances (e.g., retirement age, children's education), specific goals/major concerns in the future (e.g., planned purchases, redemption of liabilities), tax information (e.g., indication of church tax pﬂicht), documentary data (e.g., declarations of suitability).
- Customer contact information: In the course of the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts, initiated by the customer or by SAMDE, further personal data is generated, e.g. information on the contact channel, date, occasion and result, (electronic) copies of correspondence as well as information on participation in direct marketing measures as well as details of interests and wishes expressed by the customers to SAMDE
- Audiovisual data: (data from the video legitimation procedure, recordings of calls).
- If requested by the customer, personal data of children is also collected. Here, SAMDE ensures that the holders of parental responsibility consent to the processing of personal data or, in certain cases, agree to the child's consent.
- Personal data concerning racial or ethnic origin, political beliefs, religious or ideological views, trade union membership, as well as genetic data, biometric data for the unique identification of a natural person, health data or data concerning sex life or sexual orientation are generally not processed by SAMDE.
- When visiting the website www.serafin-am.com or www.srfn.de or downloading the app Serafin:
- When calling up the SAMDE website, information is automatically sent to the server of the SAMDE website by the browser used on the customer's end device/computer. This information is temporarily stored in a so-called log file. The following information is collected without the customer's intervention and stored until automated deletion:
- IP address of the requesting computer (or terminal device)
- Date and time of access
- Time zone difference from Greenwich Mean Time (GMT)
- Name and URL of the retrieved file
- Content of the request (concrete page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Browser Operating system and its interface, if applicable the operating system of the computer (or terminal device) used as well as the name of the customer's access provider
- Language and version of the browser software
- Website from which the access is made
3. Purpose of processing and legal basis
SAMDE processes the aforementioned personal data in accordance with the provisions of the General Data Protection Regulation (DS-GVO) and the Federal Data Protection Act (BDSG):
For the fulfillment of contractual Pﬂichten (Article 6 para. 1 lit. b DS-GVO):
Personal data is processed for the provision of financial services in the context of the performance of SAMDE's contracts with its customers or for the performance of pre-contractual measures, which are carried out at the request of the customers. The purposes of the data processing primarily depend on the specific product (see under point 2) and may include, among other things, needs analyses, advice, asset management and support, and the execution of transactions. Customers can find further details on the purpose of data processing in the respective contract documents and terms and conditions.
SAMDE processes the personal data of individuals within its suppliers' organization in order to obtain services from them. It also stores the financial data so that it can pay for the services of its suppliers.
Within the framework of the balancing of interests (Article 6 para. 1 lit. f DS-GVO):
Where necessary, SAMDE processes customer data beyond the actual performance of the contract in order to protect the legitimate interests of SAMDE or third parties. Examples:
- Assertion of legal claims and defense in legal disputes
- Ensuring the IT security and IT operation of SAMDE.
- Prevention of criminal acts, in particular fraud prevention
- Video surveillance for the preservation of domiciliary rights, for the collection of evidence in the case of robberies and fraud offences
- Measures for building and plant security (e.g. access controls)
- Measures to ensure the right of domicile
- Measures for business management and further development of services and products
- Ensuring a smooth connection establishment of the website
- Ensuring a comfortable use of the website of SAMDE
- Evaluation of system security and stability, and
- for other administrative purposes
- In no case does SAMDE use data to draw conclusions about the person of the respective customer.
- Based on the consent of the customer (Article 6 para. 1 lit. a DS-GVO):
Insofar as the customer has given SAMDE consent to process personal data for certain purposes (e.g. transfer of data in the network or to use his data for certain advertising purposes), the lawfulness of this processing is given on the basis of the consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to the SAMDE before the applicability of the General Data Protection Regulation, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected. If SAMDE intends to use the customer's personal data for purposes other than those mentioned above, SAMDE will inform the customers accordingly and, if necessary, obtain their consent.
Due to legal requirements (Article 6 para. 1 lit. c DS-GVO) or in the public interest (Article 6 para.1 e DS-GVO):
Furthermore, as a securities institution, SAMDE is subject to various legal obligations. This means that legal requirements (e.g. Securities Institutions Act, Money Laundering Act, Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority (BaFin)) must be met. The purposes of processing include, but are not limited to, identity and age verification, fraud and money laundering prevention, compliance with sanctions and embargo provisions, to respond to official inquiries from a competent governmental body or judicial authority, to fulfill tax control and reporting obligations, and to assess and manage risks of SAMDE.
4. Recipients of personal data from customers
Within SAMDE, those entities shall be granted access to the customer's data that need it for the fulfillment of contractual and legal Pﬂichten. Service providers and vicarious agents used by SAMDE may also receive data for these purposes if they comply with banking secrecy and SAMDE's written instructions under data protection law.
With regard to the transfer of data to recipients outside SAMDE, it should first be noted that SAMDE is obligated to maintain confidentiality about all customer-related facts and evaluations of which it becomes aware.
SAMDE may only pass on information about customers if this is required by law, if the customer has given his consent, if processors commissioned by SAMDE guarantee compliance with banking secrecy and the requirements of the General Data Protection Regulation/Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. Deutsche Bundesbank, German Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, German Federal Central Tax Office) in the event of a statutory or regulatory obligation
- SAMDE's sister companies based in Switzerland (Serafin Asset Management AG and Alpora AG), to which SAMDE transfers personal data in order to carry out the business relationship with the customers. These companies are also legally or contractually obligated to treat personal data with the necessary care.
- Other credit and securities institutions, comparable institutions and order processors to whom SAMDE transfers personal data in order to carry out the business relationship with the customers. These companies are also legally or contractually obligated to treat personal data with the necessary care.
- independent agents, intermediaries, brokers
- Service providers supporting SAMDE, specifically in the following activities: Support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing/procurement, credit processing services, recovery, customer administration, lettershops, marketing, media technology, reporting, research, risk controlling, expense reporting, telephony, video legitimation, website management, securities services, share register, fund administration, auditing services, payment transactions.
- Members of certain regulated professions such as lawyers, notaries or auditors
- Further data recipients may be those entities for which the customers have given their consent to the data transfer
Note: Under no circumstances will personal data be sold to third parties.
5. As a rule, no transfer of data to a third country or to an international organization.
In order to execute the customer contract, it may be necessary for SAMDE to transfer personal data to Switzerland, in particular to Serafin Asset Management Schweiz AG and Alpora AG. The European Commission has recognized the level of data protection there as adequate.
Otherwise, data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of customer orders (e.g. payment and securities orders), is required by law (e.g. tax reporting requirements), the customers have given their consent, or within the scope of order processing. If service providers in the third country are used, they are, in addition to written instructions, obligated by the agreement of the EU standard contractual clauses to comply with the level of data protection in Europe. If you require a printout of these provisions or information on their availability, you can contact SAMDE in writing.
6. Storage period of the data
SAMDE processes and stores personal data of customers as long as it is necessary for the fulfillment of contractual and legal Pﬂichten. In this context, it should be noted that the business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfillment of contractual or statutory Pﬂichten, it is regularly deleted, unless the - temporary - further processing is required for the following purposes:
- Compliance with retention periods under commercial and tax law. These include obligations arising from the German Commercial Code, the German Fiscal Code, the German Securities Act, the German Money Laundering Act and the German Securities Trading Act. The retention and documentation periods specified there range from two to ten years.
- Preservation of evidence within the framework of the statute of limitations. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.
7. Protection of personal data
SAMDE will take reasonable and appropriate measures that protect stored and processed information from misuse, loss or unauthorized access. To this end, SAMDE has taken a number of technical and organizational measures.
If you suspect that your personal information has been misused, lost, or accessed without authorization, please notify SAMDE as soon as possible.
8. Data protection rights under the basic data protection regulation
Every data subject has the right to information under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR. With regard to the right to information and the right to erasure, the restrictions pursuant to Sections 34 and 35 BDSG apply.
The right of access includes information about the purposes of processing, the category of personal data, the categories of recipients to whom personal data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing, objection or data portability, the existence of a right of complaint, the origin of the data, if not collected by SAMDE, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
The customer may request the immediate correction of incorrect or the completion of personal data collected by SAMDE at any time.
The customer may request the deletion of his personal data stored by SAMDE, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims. If none of the aforementioned cases apply, SAMDE will delete this data. As a rule, SAMDE will also include the name of the customer in the list of persons who do not wish to be contacted. In this way, SAMDE minimizes the chance that customers will be contacted in the future if their data is collected separately under different circumstances.
In certain circumstances, the customer may request that SAMDE restricts the processing of its personal data. This means that SAMDE will only store customer's data in the future and cannot carry out any further processing activities until: (i) one of the conditions listed below has been removed, (ii) the customer gives consent, or (iii) further processing is necessary to assert, exercise or defend legal claims, to protect the rights of others, or if it is necessary due to legitimate public interest of the EU or a Member State. In the following circumstances, Customer may request that SAMDE restrict the processing of Customer's Personal Data:
- If the customer disputes the accuracy of the personal data that SAMDE processes about the customer. In this case, the processing of the customer's personal data by SAMDE will be restricted until the accuracy of the data has been verified.
- If the customer objects to the processing of his personal data by SAMDE in terms of SAMDE's legitimate interests. In this case, the customer may request that the data be restricted while SAMDE reviews its reasons for processing the customer's personal data.
- If the processing of the customer's data by SAMDE is unlawful, but the customer prefers to limit the processing by SAMDE instead of having the data deleted.
- If there is no longer a need for SAMDE to process the customer's personal data, but the customer needs the data to assert, exercise or defend legal claims.
The customer may receive his personal data, which he has provided to SAMDE, in a structured, common and machine-readable format or request the transfer to another responsible party.
If a decision to conclude or perform a contract has only been made in an automated process (Art. 22 DS-GVO) and this decision has legal effect vis-à-vis the customer or the customer is similarly significantly affected, the customer may request SAMDE to conduct a manual review again after having explained its position to SAMDE and requested the manual review. In the event of such a decision, SAMDE shall also separately inform the customer about the reason and the scope and intended effects of such data processing.
In addition, there is a right of appeal (Article 77 DS-GVO in conjunction with Section 19 BDSG). The customer can contact the data protection officer at firstname.lastname@example.org in this regard. In addition, the customer may contact the supervisory authority of his usual place of residence or workplace or the registered office of SAMDE.
The customer may revoke a given consent to the processing of personal data at any time vis-à-vis SAMDE. This also applies to the revocation of declarations of consent given to SAMDE before the applicability of the General Data Protection Regulation, i.e. before May 25, 2018. The customer is informed that the revocation is only effective for the future. Processing that took place before the revocation is not affected by this. The separate notice at the end of this data protection notice also applies in this regard.
Upon the customer's objection, SAMDE shall cease the relevant activities. This applies with the exception that SAMDE can demonstrate that there are overriding legitimate grounds for the processing which override the interests of the customer or the data are processed in order to assert, exercise or defend a legal claim.
9. Obligation to provide data
Within the scope of the joint business relationship, the customer must provide those personal data that are required for the establishment and execution of a business relationship and the fulfillment of the associated contractual pﬂichten or that SAMDE is legally obligated to collect. Without this data, SAMDE will usually have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it. In particular, SAMDE is obligated under money laundering regulations to identify the customer prior to the establishment of the business relationship, for example by means of an identity card, and to collect and record name, place of birth, date of birth, nationality as well as residential address and identification data. In order for SAMDE to comply with this legal obligation, the customer shall provide SAMDE with the necessary information and documents in accordance with Section 11 (6) of the German Money Laundering Act (Geldwäschegesetz) and shall notify SAMDE without delay of any changes arising in the course of the business relationship. Should the customer fail to provide SAMDE with the necessary information and documents, SAMDE shall not be allowed to enter into or continue the business relationship requested by the customer.
10 Automated decisionﬁndings
For the establishment and implementation of the business relationship, SAMDE does not use fully automated decisionﬁndings according to Article 22 DS-GVO. Should SAMDE use these procedures in individual cases, the customers will be informed about this separately, if this is required by law.
SAMDE processes the customers' data in part automatically with the aim of evaluating certain personal aspects (Proﬁling). In this context, SAMDE uses Proﬁling in the following case, for example:
- Due to legal requirements, SAMDE is responsible for combating money laundering and fraud. This also includes data analysis (e.g., in payment transactions). These measures also serve to protect customers.
12. Modification clause
Information about your right to object according to Article 21 of the General Data Protection Regulation (GDPR)
1. Right to object on a case-by-case basis
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) DS-GVO (data processing in the public interest) and Article 6 (1) (f) DS-GVO (data processing on the basis of a balance of interests); this also applies to a proﬁling based on this provision within the meaning of Article 4 (4) DS-GVO. If you object, SAMDE will no longer process your personal data unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
2. Right to object to processing of data for advertising purposes
In individual cases, your personal data will be processed for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to proﬁling insofar as it is related to such direct advertising. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
The objection can be made without any formalities and should be sent by e-mail to the following address of the SAMDE: datenschutz[at]serafin-am.com.