1. Contact details for BaFin and BaFin’s Data Protection Officer

Bundesanstalt für Finanzdienstleistungsaufsicht
Graurheindorfer Str. 108
53117 Bonn
Postfach 1253
53002 Bonn
Phone: +49 (0) 228-4108–0
Fax: +49 (0) 228-4108–1550
E-mail: poststelle@bafin.de oder De-mail: poststelle@bafin.de-mail.de

BaFin’s Data Protection Officer can be reached at: Datenschutz@bafin.de

2. Purpose of processing

Conducting the administrative procedure for assessing the applicability of the authorisation requirement and enforcement relating to unauthorised business.

3. Legal basis for the processing of data

The German Banking Act (Kreditwesengesetz – KWG), the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), the German Investment Code (Kapitalanlagegesetzbuch – KAGB), the German Act Establishing the Federal Financial Supervisory Authority (Finanzdienstleistungsaufsichtsgesetz – FinDAG), the German Administrative Procedure Act (Verwaltungsverfahrensgesetz – VwVfG), the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

4. Categories of processed personal data

• Particulars/address and contact details (e.g. business contact data);
• Personal data in connection with professional or business activities

5. Intention to transfer the personal data to recipients in a third country or to an international organisation

BaFin will only transfer your data to a recipient in a third country (non-EU member states and countries outside the European Economic Area) or to an international organisation to the extent this is necessary for BaFin to carry out its statutory responsibilities.

6. Recipient of data

Any authorities and courts involved in the administrative procedure and/or criminal proceedings (if applicable) as well as the individuals employed by BaFin to investigate the facts of the case or to enforce its measures or who have legally defined rights to information vis-à-vis BaFin.

7. Time period for storing your data

10 years with regard to questions about the authorisation requirement in accordance with the applicable supervisory laws, in all other cases 30 years, in each case beginning after the end of the administrative procedure.

8. Your rights as a data subject

In principle, as a data subject, you have the right of access to personal data (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to erasure (Article 17 of the GDPR) and the right to restriction of processing (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object to the processing (Article 21 of the GDPR). Moreover, you have a right to lodge a complaint with the data protection authority competent for BaFin, i.e. the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte(r) für den Datenschutz und die Informationsfreiheit).

9. Automated individual decision-making, including profiling

There is no automated individual decision-making.

10. Source of personal data (only if data is not obtained from the data subject itself, Article 14 of the GDPR)

In principle, the data source is not generally accessible.

11. Basis for the provision of your data and consequences in the event of failure to provide your personal data (only where data are collected from the data subject, Article 13 of the GDPR)

If you do not provide your personal data, the administrative procedure cannot be conducted.