The following privacy policy provides an overview how your data is recorded and processed.

With the following information, we would like to give you an overview of how we process your personal data as well as your rights under the Data Protection Act. What specific data is processed in detail and how it will be used depends on the requested or agreed services.

1. Who is responsible for data processing and who can I contact?

In respect of leasing

GRENKE Limited

FAO Data Protection 

Q-House, Suite 306

Furze Road

Sandyford Business Park

Dublin D18 CP83

Phone: +353 1 292 3400

Email: [email protected]

In respect of invoice financing:

GRENKE IF Ireland, Data Protection

FAO Data Protection

Q-House, Suite 508

Furze Road

Sandyford Business Park

Dublin D18 CP83

Phone: +353 1 297 1060

Email: [email protected]

2. What sources and data do we use? 

We process personal data that we receive from our customers as part of our business relationship. In addition, we process – as far as necessary for the provision of our services – personal data that we might collect from publicly accessible sources (e.g. debtor directories, land registers, trade and association registers, press, internet) or that was obtained from our distribution partners or from other third parties (e.g. a credit agency). Finally, we process personal data of our shareholders, shareholder representatives, guests of the Annual General Meeting and analysts on the basis of our legal obligations.

Relevant personal data includes:

• Personal details (name, address, birthday, place of birth , PPSN and nationality)
• Contact details (telephone, e-mail address)
• Verification data (e.g. ID data)
• Authentication data (e.g. signature sample)
• Order data (e.g. payment order)
• Data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions)
• Information about your financial situation (e.g. creditworthiness data, scoring/rating data, source of assets)
• Advertising and sales data (including advertising scores), documentation data (e.g. consultation minutes)
• Data in connection with the shareholder position, such as the number of shares, type of shares, type of share ownership or information on the bank holding your shares.
• Data in connection with the Annual General Meeting of GRENKE AG such as the number of the admission ticket, powers of attorney, instructions, etc.

 and other data comparable to the aforementioned categories.

3. What do we process your data for (purpose of processing) and on what legal basis? 

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). 

a. For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR)

Data is processed in order to provide financial services as part of the execution of our contracts with our customers or to carry out pre-contractual actions, which are carried out upon request. The purposes of data processing are primarily geared towards the specific product (e.g. leasing, factoring) and may include, but are not limited to, needs analysis, consulting and to perform transactions. 

b. As part of the legitimate interest (Article 6 (1) (f) of the GDPR)

As far as necessary, we process your data beyond the actual fulfilment of the contract for the protection of our legitimate interests or those of third parties, in particular:  

Consultation and exchange of data with credit agencies e.g. Central Credit Register and Experian to identify credit risk or default risk

For the purposes of examining possible credit risks and default risks as well as preventing criminal offences, we provide Experian (Registered office at Newenham House, Malahide Road, Northern Cross, Dublin 17), Experian with data on the application and the applicant.  Experian will make the data safe and available to us through direct electronic mail provided that we have given convincing evidence that our interest in this is legitimate. CRIF Bürgel GmbH will provide us with data stored on your person in the DSPortal (Deutsches Schutz Portal) if we have credibly demonstrated our legitimate interest.

The legal bases of these transfers are Article 6 (1) (b) and Article 6 (1) (f) of the GDPR. Transfers on the basis of Article 6 (1) (f) of the GDPR may only be made to the extent necessary to safeguard our legitimate interests or those of third parties and provided these interests do not outweigh the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

Credit agencies process the data obtained and also use it for the purposes of profiling (scoring) in order to provide their contractors in the European Economic Area and in Switzerland and, where applicable, other third-party countries (if there is an adequacy decision by the European Commission) with information in order to, inter alia, make assessments on the creditworthiness of natural persons.
Detailed information according to Article 14 of the GDPR on the activities of the credit agencies can be found for the respective credit agency under the following link:

• https://www.centralcreditregister.ie 
• www.experian.ie

Review and optimisation of requirements analysis procedures for direct customer contact

Optimisation and needs-based design of the website

Advertising or market and opinion research, provided that you have not objected to the use of your data

Asserting legal claims and defence in legal disputes

Ensuring the IT security and IT operation of our company

Prevention and investigation of criminal offences

Video surveillance for the protection of domiciliary rights, and for the collection of evidence in cases of robbery and fraud

Measures for building and plant safety (e.g. access control)

Measures to safeguard domiciliary rights

Measures for business management and further development of services and products

Quality assurance to optimize internal business processes

c. On the basis of your consent (Article 6 (1) (a) GDPR)

Insofar as you have given us your consent to process your personal data for specific purposes (e.g., analysis of payment transaction data for marketing purposes), the legality of this processing is assured on the basis of your consent. Consent that has been issued can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into effect, i.e. before 25 May 2018. The revocation of consent does not affect the legality of the data processed until the revocation.
 
d. Based on legal requirements (Article 6 (1) (c) GDPR),  or in the public interest (Article 6 (1) (e)  GDPR)
In addition, we are subject to various legal obligations, i.e. legal requirements (e.g., in respect of financial services laws, anti-money laundering legislation or tax laws) as well as banking supervisory requirements (e.g., the European Central Bank, the European Banking Authority, or the Central Bank of Ireland). The purposes of the processing include, but are not limited to, the creditworthiness check, identity and age checks, prevention of fraud and money laundering, the fulfilment of tax auditing and reporting obligations, and the assessment and management of risks.

Due to legal obligations, under the Companies Act 2014 as well as due to the legitimate interests in the context of the organization and orderly conduct of Annual General Meetings, we also process personal data of shareholders, shareholder representatives and, if applicable, guests at the Annual General Meeting of GRENKE AG (in particular name and contact details). The processing of this data is necessary for the participation of shareholders, shareholder representatives and possible guests in the Annual General Meeting or the holding of analyst events. Personal data is stored in accordance with legal obligations and then deleted.

4. Who receives my data?

Within our organisation, the entities that gain access to your data are those who need it in order to fulfil our contractual and legal obligations. Our service providers and vicarious agents may also receive data for these purposes. These are companies in the categories of financial services, IT services, logistics, printing services, telecommunications, debt collection, advising and consulting, as well as sales and marketing.

With respect to the disclosure of data to recipients outside our Group, we may only disclose information about you if we are required to do so by law, or is in our legitimate interest or if you have given us your consent to do so. Under these conditions, recipients of personal data may be, for example:

• Public authorities and institutions (e.g.,Financial Supervisory AuthorityEuropean Banking Authority, European Central Bank) in the presence of a legal or regulatory obligation.
• Other credit and financial services institutions or
• comparable institutions to which we transfer personal data over the course of our business relationship with you (depending on the contract, e.g., correspondent banks, credit agencies).
• Other companies within the group
• for risk management due to legal or regulatory obligations.

Other data recipients may be those to whom you have given us your consent for your data to be submitted.

We may also share your information within the GRENKE Group and with our parent company, GRENKE AG for our legitimate business interest.

5. Is data transmitted to a third-party country or to an international organisation?

A transfer of data to official bodies in countries outside the European Union (so-called third-party countries) takes place, as far as

• this is required in order to execute your orders (e.g. payment orders),
• this is required by law (e.g. in order to comply with tax reporting obligations), or
• you have given us your consent; or
• the conditions of the GDPR are complied with in respect of the transfer of data to third countries. 

6. How is my data processed on the website?

Unless otherwise stated, we process your data on our website either to action your request (Article 6 (1) (b) GDPR) or based on our legitimate interests (Article 6 (1) (f) GDPR) as follows:

a. Usage data
 
Every time you access a page and retrieve a file, this process automatically saves general data to a log file. The storage is exclusively system-related and is purely used for security purposes respectively to report criminal offences in exceptional circumstances. The data is stored in httpd access logs in the data centers of our service provider Bloomreach and can be accessed in case of a legitimate interest.
A transfer of data to other third parties or any other evaluation does not take place, unless there is a legal obligation to do so. Data will be deleted automatically after 4 weeks retention time.

In detail, the following data record is saved for each access:

• Device used
• Name of the accessed file
• Date and time of access
• Time zone
• Transferred data volume
• Report as to whether the access was successful
• Description of the type of web browser used
• Operating system used
• The previously visited site
• Provider
• User's IP address
We do not save your browser history.
The legal basis for data processing is Article 6 (1) (f) GDPR. Our legitimate interest follows from the aforementioned purposes as well as the technical necessity of processing the collected data in order to display our website to you.

b. Contact

In order to be able to give you the best possible advice as part of a request via our contact forms, the appropriate group company that is best suited to respond to your request will be identified after inquiring about your specific interest at the top of the page. If you contact us (e.g. via contact forms), the designated company will save your data in order to process your request (Article 6 (1) (b) GDPR) or in case any further correspondence is required. If several companies are listed there, they will process your personal data as joint data processors within the meaning of the GDPR. Further information on joint responsibility can be obtained by sending an e-mail to [email protected].

If you provide specific information about your needs or your person in the context of other enquiries (e.g. during our leasing test), we will save your data for the purpose of processing your request (Article 6 (1) (b) GDPR) and in the event that further correspondence should take place.

If you expressly agree to be contacted by e-mail, telephone or post (according to Art. 6 Para. 1 a GDPR) within the scope of the contact form, you grant GRENKE Limited and GC Factoring Ireland Limited the opportunity to inform you in future by telephone, e-mail or post about current products and services, in the selected category. We may also store your data for the purpose of sending you our newsletter. In addition, we store your e-mail address and the date of your registration in order to be able to prove your newsletter subscription in case of doubt.  The legal basis for this processing is Article 6 (1) (c) GDPR, as we are legally obliged to provide evidence of registrations. You can object to the use of your data for advertising purposes at any time or unsubscribe from the newsletter at any time by clicking on the unsubscribe link in the footer of the newsletter. 
 
If you do not give your consent  to the subscription of our newsletter, your data will be deleted after your request has been processed. Excluded from this is data for which legal or otherwise prescribed storage obligations exist.

c. Registration

The data provided during registration will only be used by us to enable you to use our website (Article 6 (1) (b) GDPR).

We collect the following data for the registration process:

• E-mail address
• User name
• Password

d. Newsletter

We are happy to inform you on the basis of your consent (Article 6 (1) (a) GDPR) about the latest news with our newsletter.

In order to receive the newsletter, you must enter your name and e-mail address. You can also enter and submit further optional information. After you have submitted your e-mail address, you will receive an e-mail from us to the e-mail address you have specified, in which you must click a confirmation link to verify the e-mail address you provided.

Your data will be stored by us only for the purposes of sending our newsletter. In addition, we store your e-mail address and the date of your registration in order to be able to prove the newsletter subscription in case of doubt. The legal basis for this processing is Article 6 (1) (c) GDPR, as we are legally obliged to provide evidence of registrations.

You can unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter.

e. Data processing for conducting prize competitions
If you participate in prize competitions, we process personal data that we receive from you, e.g. name, e-mail address and, if applicable, your customer number and other data in order to enable participation in the competition. As part of the competition, we will point out which of your details are required for participation.
The processing of the data serves to provide, implement and process competitions. We process the personal data of participants in prize competitions only in compliance with the relevant data protection regulations. The legal basis for data processing is Art. 6 Para. 1 lit. b GDPR in relation to data processing for the implementation of the competition and Art. 6 Para. 1 lit. f GDPR insofar as the processing serves our legitimate interests (e.g. the security of the competition; to protect our interests from misuse through the possible collection of IP addresses when submitting competition entries). Insofar as we ask you for your consent to the sending of advertising by e-mail as part of the competition and you give us your consent to this, the legal basis for this processing is Article 6 (1) (a) GDPR.
The data of the participants will only be transmitted to other places if this is necessary for the implementation of the competition (e.g. for the purpose of sending prizes) or if a participant has consented to the transmission. External recipients can also be external service providers who support us in conducting the competition as our processors, for example if we use participation forms as part of the competition. These processors are carefully selected by us and regularly checked. They may only use the data for the purposes specified by us and according to our instructions.
The data of the participants will be deleted when the data is no longer required to carry out the competition and we no longer need the data to achieve the purposes as specified above. Processing of the data beyond the end of the competition can arise in particular if we answer questions about the prizes or fulfill the prizes; in this case, the retention period also depends on the type of prize and can be up to three years, especially for items or services, in order to be able to process warranty cases, for example. Furthermore, the data of the participants can be stored longer in individual cases, e.g. when reporting on the competition in online and offline media. If data was also collected for other purposes as part of the competition, its processing and storage period are based on the requirements for this use (e.g. for registering for the newsletter as part of a competition see the data protection information for the newsletter under lit. d).

f. Use of cookies

aa) General information

In order to make your visit to our websites more pleasant and to enable the use of certain functions, we use so-called cookies on various sites. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and allow us or our affiliates to recognise your browser on your next visit (so-called persistent cookies).

Cookies cannot access other files on your computer or identify your email address.

bb) Use of cookies

Like most websites you visit, our website also uses cookies to improve the user experience on both one-time and repeated website visits. This allows you to quickly and easily switch between sites, save your configurations, and use third-party tools (such as YouTube videos) on the website.

Cookies are either placed on our website (first party cookies) or on other websites whose content appears on our website (third-party cookies). These third-party providers (such as Facebook) may set cookies if you are logged in to their pages and visit our website. We have no influence on the cookie settings of these websites. Please visit the third-party websites for more information on their use of cookies.

cc) Legitimacy of the storage of cookies

The essential, functional  cookies are stored for the optimisation and needs-based design of our website.

Statistical cookies and cookies for marketing purposes are stored  on the basis of the user's consent. These cookies are therefore only set if the user agrees to the storage by issuing their consent to the cookie notification on the website.

dd) Deactivating and deleting cookies

The setting you choose on the first visit in response to the cookie notification will be saved. The selected settings can be adjusted here in the privacy settings at any time.

Most browsers are otherwise set to automatically accept cookies. If the default settings for cookies are stored in your browser, all processes run in the background without any notifications. However, you can change these settings at any time.

You can set your browser so that you are informed about the setting of cookies and can decide on a case-by-case basis whether they are to be accepted or deactivated for specific cases or in general.

A general objection to the use of cookies for marketing or advertising purposes can be issued for a variety of services via the website http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by switching them off in your browser settings. Please note that this may mean you won’t be able to use all the features of this website.

ee) Overview of the cookies we use

Essential cookies

Essential cookies are required in order to be able to use our website as they enable basic functions such as site navigation and access to secure areas of the website. The website may not work properly without these cookies.

Functional cookies

Functional cookies allow a website to store information that has already been entered (such as preferred language), and to provide the user with enhanced, more personalised features. Functional cookies are used for instance to enable requested functions such as playing videos. These cookies collect anonymised information; they cannot track your movements on other websites.

Statistical cookies

Statistical cookies collect information about the use of a website – such as the user’s most frequently visited pages and whether the user receives error messages when using a website. These cookies do not store information that allows the user to be identified. The information gathered is pooled and therefore evaluated anonymously. These cookies are used exclusively to improve a website's performance and thus the user experience.

g. Range analysis using Piwik

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website within the meaning of Art. 6 (1) (f) GDPR), we use Piwik, a software for the statistical evaluation of user access. 

Your IP address will be abbreviated before it is saved. However, Piwik uses cookies that are stored on users' computers and enable the user’s use of the website to be analysed. In this case, pseudonymous usage profiles of the users can be created from the processed data. The information generated by the cookie regarding your use of this online content is stored on our server and not passed on to third parties. 

You can opt-out of this data processing as follows

h. Use of Eloqua

We use the Eloqua service to collect statistical data about the use of our website, to send our newsletters and to optimize our services accordingly. The Eloqua servers of the supplier ORACLE Nederland B.V., Hertogswetering 163, 3543 AS Utrecht, P.O. Box 40387, 3504 AD Utrecht, Netherlands are located in the EU.

Eloqua uses "cookies", which are text files placed on your computer, to help the website analyze how users utilize the site. If you have already used a website that uses Eloqua, you may already have an Eloqua cookie. Even if this cookie is set on other websites, the information from your visit to our websites is only visible to us and is not shared with Oracle or any other users of the Eloqua system. It is also not possible for us to use this cookie to record or view information about your visits to any other websites.

If you have not expressly consented to this use, our legal basis for this is our justified interest in optimizing our offers (Art. 6 Para. 1 S. 1 lit. f DS-GVO).

The information generated by the cookie about your use of this website is transferred to a server and stored there. On our behalf, Eloqua uses this information to evaluate your use of the website and to compile reports on website activity. If you wish to prevent the use of Eloqua cookies or the evaluation of usage behavior on your device in the future, this is possible via the following link: Eloqua Opt-Out.

E-mails sent with the help of Eloqua use tracking technologies. We use this information primarily to determine which topics are of interest to you by tracking whether our emails are opened and which links you click. We then use this information to improve the emails we send you and the services we provide, as well as to link them to existing tracking or profiling information. You will not be able to track emails if you have disabled image viewing by default in your email program. In this case, however, the newsletter will not be displayed in full and you may not be able to use all functions. If you display the images manually, the above tracking will take place.

You can find further information on data protection in connection with the use of Eloqua here: Oracle Privacy Policy.

i) Use of the Facebook pixel
 
aa) Processed data

On our website we use the so-called “Facebook pixel” from “Facebook” (Facebook Ire-land Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2 Ireland). With the Fa-cebook pixel we can classify the visitors of our website into certain target groups in or-der to be able to show you advertisements ("Ads") on Facebook. The recorded data (e.g. IP addresses, information about the web browser, the location of the website, buttons clicked, possibly pixel IDs and other features) cannot be viewed by us, but can only be used in the context of displaying certain advertisements. When the Facebook pixel code is used, cookies are also set.

If you have a Facebook account and are logged in, your visit to this website will be as-signed to your Facebook user account.

In order to exchange the respective data, your browser automatically establishes a di-rect connection with the Facebook server. We have no influence on the scope and fur-ther use of the data that is collected by Facebook through the use of this tool and there-fore inform you according to our level of knowledge: By integrating the Facebook Pixel, Facebook receives the information that you are visiting the corresponding site of our website and that you have accessed or clicked on one of our advertisements. If you are registered with a Facebook service, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, there is the possi-bility that the provider will find out and save your IP address and other identification features.

• You can find out how the Facebook pixel is used for advertising campaigns at https://www.facebook.com/business/learn/facebook-ads-pixel
• You can find more information on Facebook's privacy policy at https://www.facebook.com/policy.php
• Further information on data processing by Facebook is available at https://www.facebook.com/about/privacy

bb) Purposes of the processing of data

We use these functions in order to be able to present you with offers that match your interests.

cc) Legal basis

We process your data because you have given your consent (Article 6 (1) (a) GDPR). We obtain your consent when you visit our website via the cookie banner.

dd) Storage duration and control options

We store your data as long as we need it for the respective purpose (display of interest-based advertising), or as long as you have not objected to the storage of your data or have revoked your consent.

The deactivation of the “Facebook Custom Audiences” function is possible for logged-in users at https://www.facebook.com/settings/?tab=ads#.

You can change your settings for advertisements in Facebook at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen,%20provided%20you%20are%20logged%20into%20Facebook

j) Use of Google Remarketing and Double Click 

aa) Processed data

Google Remarketing and Double Click (now Google Ad Manager): We use Google Re-marketing and Google Double Click from Google Ireland Limited, Gordon House, Bar-row Street, Dublin 4, Ireland. With this technology, cookies are set which evaluate how you use our website and which enable your browser to be recognized when you visit websites that belong to the Google advertising network. For this purpose, the Google Analytics tracking code uses so-called double click cookies in addition to the Google Analytics cookies. These collect data on which third-party websites in the Google Dis-play Network you have visited and which advertisements you have clicked on. In addi-tion, data from first-party cookies (e.g. Google Analytics cookies) and third-party cookies (e.g. Google cookie for display preferences) are linked. This enables us to evaluate the display of advertisements and your interaction with these advertisements.

Google Ads Conversion Tracking: We use Google Ads Conversion Tracking. With this technology, cookies are set when you interact with one of our advertisements, e.g. click on it. Cookies are used to analyze what happens after you have interacted with an ad-vertisement, e.g. whether you have bought our product, viewed the ad from a mobile phone, downloaded our app or signed up for a newsletter.

bb) Purposes of the processing of data

Google Remarketing and Double Click (now Google Ad Manager): We use this tech-nology to present you with interest-based advertisements on other websites in the Google advertising network. The advertisements relate to content that you have previ-ously viewed on our website.

Google Ads Conversion Tracking: We use this technology to improve our offers.

cc) Legal basis

We process your data because you have given your consent (Article 6 (1) (a) GDPR). We obtain your consent when you visit our website via the cookie banner.

dd) Storage duration and control options

The data that are collected via the Google functions are saved and regularly deleted.

You can prevent the storage of cookies by making the appropriate setting in your browser.

You can also prevent Google from collecting the data and processing the data by down-loading and installing the browser add-on available under the following link.

Google Dynamic Remarketing and Double Click as well as Google Ads Conversion Tracking: You can object to the storage of cookies and the associated data processing by deactivating personalized advertising via your advertising settings. You can deacti-vate the use of cookies by third-party providers via the deactivation website of the net-work advertising initiative. Alternatively, you can deactivate double-click cookies by in-stalling a browser plug-in.

This can restrict the functionality of our website.

You can find further information in the Google privacy policy.

k) Use of Linkedin Insights and Conversion Tracking

aa) Processed data

We use the LinkedIn Insight Tag of the provider LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA for this website. The LinkedIn Insight Tag creates a LinkedIn "browser cookie" which collects the following data:

• IP address,
• time stamp,
• page activities,
• demographic data from LinkedIn, if the user is an active LinkedIn member.

This technology enables us to generate reports on the performance of our advertise-ments and information on website interaction. For this purpose, the LinkedIn Insight Tag is integrated on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time.

bb) Purposes of the processing of data

We process your data in order to evaluate campaigns and to collect information about website visitors who may have reached us through our campaigns on LinkedIn.

cc) Legal basis

We process your data because you have given your consent. We obtain your consent when you visit our website via the cookie banner.

l) Integration of social media plug-ins

We are currently using the following social media plug-ins: Facebook, Instagram, Twitter, LinkedIn.

When you visit a page that contains such a plug-in, the browser will connect to the social media providers' servers and provide the information that you have accessed the corresponding subpage of our website. In addition, the data referred to in section 3 of this declaration will be transmitted, whereby in the case of Facebook and XING, according to the respective providers in Germany, only an anonymous IP is recorded. This happens regardless of whether you have an account with this plug-in provider and are logged in there. If you are logged in to the plug-in provider, this data will be assigned directly to your account. If you click the button, the plug-in provider also stores this information in your user account and informs your contacts publicly. If you do not want your profile to be linked with the plug-in provider, you must log out before clicking the button. 

The plug-in provider stores this data as usage profiles and uses it for the purposes of advertising, market research and/or tailored website design and/or for other uses as set out in the plug-in providers privacy policy. Such an evaluation is carried out in particular (also for non-logged-in users) to present needs-based advertising and to inform other users of the social network about your activities on our website. You have a right to object to the formation of these user profiles; you must contact the respective plug-in provider to exercise them.

For more information on the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the privacy statements of these providers, which can be found below. You will also find further information about your rights and settings options to protect your privacy here.

Addresses of the respective providers and URLs with their privacy policies:

• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, more information on data recording: https://www.facebook.com/about/privacy, https://www.facebook.com/help/186325668085084. Facebook has submitted itself to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework).
• Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, more information on data recording: https://www.instagram.com/about/legal/privacy, https://www.facebook.com/help/186325668085084. Instagram has submitted itself to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework).
• Twitter Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/en/privacy. Twitter has submitted itself to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework).
• LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn has submitted itself to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework).

m) Integration of Google Map

We integrate the maps of the service "Google Maps" provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data processed may include, but is not limited to, the IP addresses and location data of users, without their consent (usually performed as part of the settings of their mobile devices). Unless you have expressly consented to the use, our legal basis for this data processing is our legitimate interest (Art. 6 Para. 1 S. 1 lit. f DS-GVO) in order to design our website to meet your needs. The data could also be processed in the USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated

n) Use of the EQS stock chart

aa) Processed data
We integrate the EQS stock charts from the provider EQS Group AG, Karlstrasse 47, 80333 Munich, for the visual representation of various stock charts.
The provider collects the following data about access to the stock chart on our website and stores them in server log files:
• Website visited
• Time of access
• Amount of data sent in bytes
• Source / reference from which you came to the page
• Browser used
• Operating system used
• IP address used - the IP address is anonymized latest after 24 hours.

bb) Purposes of the processing of data
We process your data in order to display stocks charts on our website.

cc) Legal basis
The legal basis for the processing is legitimate interests (Art. 6 Para. 1 f GDPR) in a needs-based design of the website and the stock charts or protection against any unlawful use.
Further information can be found in the data protection declaration of EQS Group AG.

dd) Storage duration and control options
Any personal data will be anonymized within 24 hours. However, the provider reserves the right to check the server log files that have not yet been anonymized if there are concrete indications of illegal use or to evaluate the data in order to rectify a problem.

o) Integration of YouTube videos

aa) Processed data
We have embedded YouTube videos on our website, which are hosted by YouTube but can be played directly from our website. These are all embedded in "extended data protection mode", i.e. according to YouTube's own statement, the playback of a video is not used for the personalisation of advertising to the user. However, we have no influence on this. YouTube is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

In order to increase the protection of your data when visiting our website, the videos are initially deactivated and integrated into the page using a so-called "2-click solution". This integration ensures that when you call up a sub-page of our website that contains such videos, no connection is established with the YouTube servers. Only when you activate the videos does your browser establish a direct connection to the YouTube servers. 

By activating the video, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, basic data such as IP address and time stamp are transmitted. This takes place regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged in to YouTube, your data will be directly assigned to your account. If you do not want your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing their website to meet your needs. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and to exercise this right you must contact YouTube or Google, e.g. at https://about.google/contact-google/.

bb) Purposes of the processing of data
The data is processed and transmitted for the purpose of integrating and displaying YouTube videos.

cc) Legal basis
The legal basis for the display of the videos is Art. 6 para. 1 lit. a) DSGVO, i.e. the integration only takes place after your consent. 

dd) Duration of storage and control options
We store your data as long as we need it for the respective purpose, or as long as you have not objected to the storage of your data or have revoked your consent.
If you do not want data to be processed by YouTube, you can refuse or revoke your consent in this respect. 

p) YouTube Videos on Websites

Technicalimplementation

The integration of videos on the website using YouTube will follow the following procedure:
Each time a YouTube video is embedded in the website, the extended data protection mode will be activated. This means that significantly less user data
is sent to YouTube, although it can be assumed that personal data is still transmitted to YouTube via cookies.

Mechanism of consent

As processing of this data is not possible without risk on the basis of GRENKE's legitimate interests, consent will be obtained from the website user.
The background to this is that user information that serves the provision of pure convenience functions of the embedded YouTube videos (e.g. the last position viewed in a YouTube video or other user settings) may be technically necessary in individual cases for the provision of the website service, which is why consent would not be required. However, if data were also transmitted to
Google for other purposes, an argumentation in the direction of technical necessity for the provision of the service would be difficult, which is why these accesses to information (by means of cookies) and data processing would thus generally require consent. Such a transmission of data by means of cookies is to be assumed.
The bottom line should therefore be to ensure that data collected from the website user by YouTube - despite the extended data protection mode - which is not absolutely necessary for playing the videos themselves, is not used without the user's consent. Consent will be obtained on all GRENKE websites as follows:
* The user's consent will be obtained on a case-by-case basis through the so-called "two-click solution". This means that YouTube videos are only loaded when the user agrees to play them directly "at the video".
*The consent text is provided on the video itself. In addition, consent is also obtained at this point for the transmission of data to the USA. Integration into the cookie banner is therefore not necessary.

Adaption of the privacy policy of the website

A corresponding adaptation of the data protection notice of the respective website must also be made and is done locally. A template for a corresponding text can be found in the appendix.

7. How long will my data be stored? 

Unless explicitly stated in this privacy statement, the usage and registration data stored with us is deleted as soon as it is no longer required for its intended use and the deletion does not conflict with any statutory retention obligations.

We process and store other personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which is designed to last for years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is necessary for the following purposes:

• Fulfilment of our legal document retention obligations including but not limited to our obligation under the Companies Act 2014 and under Anti-Money Laundering legislation.
• Preservation of evidence in the context of the statutory limitation periods.

8. Which data protection rights do I have?

Every affected person has with respect to us

• the right to information under Art. 15 GDPR,
• the right to access under Art. 15 GDPR
• the right to a correction under Art. 16 GDPR,
• the right to deletion under Art. 17 GDPR,
• the right to restrict the processing under Art. 18 GDPR,
• the right to object from Art. 21 GDPR,
• and the right to data portability under Art. 20 GDPR.
• rights in relation to automated decision making.
• the right to withdraw consent.

Each individual also has the right to complain to the Data Protection Commission at 21 Fitzwilliam Square South, Dublin 2, D02 RD28 (website: www.dataprotection.ie).

The rights set out above are in some circumstances limited under Data Protection Legislation.  Where you exercise any of the rights above we will aim to respond to you within one month however where the request is complex this may be extended by a further period of two months. 

9. Am I obligated to provide data?

As part of our business relationship, you must provide the personal data required in order to enter into a business relationship and perform its associated contractual obligations, or the personal data that we are required to collect by law. Without this information, we will generally not be able to conclude or execute the contract with you.
 
In particular, according to the money laundering regulations, we are obligated to identify you prior to entering into a business relationship with you on the basis of your identification document and to record and save your name, place of birth, date of birth, nationality, address and identification data. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering legislation and immediately notify us of any changes during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue your desired business relationship.

10. To what extent is there an automated decision-making process?

In principle, we do not use any fully automated decision-making processes pursuant to Art. 22 GDPR in order to justify or maintain the business relationship. If we do use these procedures in individual cases, we will inform you about this separately, if this is required by law.

11. Does profiling take place?

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

• Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism, and property-related offences. At the same time, data evaluations are also carried out (inter alia in payment transactions). These measures are also in place for your protection.
• In order to provide you with targeted information and advice on products, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research.
• We use the scoring to assess your creditworthiness. This calculates the probability with which a customer will meet their payment obligations in accordance with the contract. The calculation may include, for example, income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan, and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated scores help us make decisions within the context of product sales and are part of ongoing risk management.