Secondary Navigation:

Data protection

1. Legal background

a) Act XCII of 2001 on the right of informational self-determination and on freedom of information (hereinafter referred to as ‘data protection act‘)
b) Act CCXXXVII of 2013 on credit and financial institutions (hereinafter referred to as ‘Bank Act’)
c) Act CXXXVIII of 2007 on investment firms and commodity dealers and the rules of their operating conditions
d) Act CXXXVI of 2007 on the prevention and of money laundering and terrorist financing

2. Definitions

a) ‘Authority’ shall mean the National Authority for Data protection and Freedom of Information.
b) ‘Data destruction’ shall mean the complete physical destruction of data carrier.
c) ‘Data processor’ (processor) shall mean any natural or legal person or organization without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;
d) ‘Disclosure of personal data’ shall mean the ensuring open access to the data.
e) ‘Erasure of data’ (erasure) shall mean making data unrecognizable in a way that makes it impossible to restore it again.
f) ‘EEA member state’ shall mean any Member State of the European Union and any State that is a party to the Agreement on the European Economic Area, furthermore, any other country whose citizens are enjoying the same treatment as nationals of States who are parties to the Agreement on the European Economic Area by virtue of an agreement between the European Union and its Member States and a State that is not a party to the Agreement on the European Economic Area.
g) ‘General Business conditions’ shall mean the Terms of Conditions as amended from time to time and being available on the website of Deutsche Bank AG Hungary Branch.
h) ‘Third country’ shall mean any state which is not an EEA state.
i) ’Controller’ shall mean the natural or legal person, or an organization without legal personality which alone or jointly with others determines the purposes of data processing, makes and executes decisions relating to data processing (including the means used) or have them executed by a data processor. For the purpose of this statement the controller shall be Deutsche Bank AG Hungary Branch (hereinafter referred to as ‘Bank’).
j) ’Data incident’ shall mean the unlawful processing or process of personal data, in particular the illegitimate access, alteration, transfer, disclosure, deletion or destruction as well as the accidental destruction or damage.
k) ’Data process’ shall mean any technical operation carried out in relation to the data processing operations irrespective of the method and means applied as well as the place of application provided that the technical operation is performed upon personal data.
l) ’Data subject’ shall mean any person identified by or can be identified – directly or indirectly – by personal data.
m) ’Data subject’s consent’ (‘consent’) shall mean any freely and firmly given indication of his wishes based on adequate information and by which the data subject signifies his unambiguous agreement to personal data relating to him being processed including either every operation or some operations of data processing.
n) ’Data transmission’ shall mean ensuring access to the data for third party.
o) ’Objection’ shall mean the declaration of data subject in which he objects to the processing of his personal data and he requests either the termination of data processing or the erasure of his personal data being processed.
p) ’Personal data’ shall mean any information relating to the data subject – in particular by reference to his name and identification number, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity – as well as conclusions drawn from the data in regard to the data subject.
q) 'Processing of personal data' ('processing') shall mean any operation or set of operations which are performed upon personal data, regardless of the procedure applied, such as collection, record, registering, organization, storage, adaptation or alteration, use, query, transmission, disclose, synchronization or combination, blocking, erasure or destruction as well as prevention of their future use, taking photos, making audio or visual recording and record of physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, or iris scans).
r) 'Third party' shall mean any natural or legal person or organization without legal personality other than the data subject, the controller, or the data processor.

3. Principles of data processing

3.1. The Bank, as data processor, may process personal data only for specified purpose, for the exercise of legal rights and for the fulfillment of certain obligations (‘the purpose of data processing’). The bank’s data processing must meet be satisfied in all stages of data processing.
3.2. The Bank aspires to process only those personal data that is essential and suitable for the purpose of data processing. Personal data is processed only to the extent and duration necessary for the purpose of data processing.


4. Purpose of data protection

4.1. The processing of personal data by the Bank always relates to a service provided by it and currently or previously used or requested by the data subject and necessary for achieving of any of the following aims:
a) preparation and execution of contractual agreement to be entered into by and between the Bank and the data subject;
b) enforcement of claims arising from contractual agreement entered into by and between the Bank and the data subject;
c) to manage risk (analysis, assessment, comply with regulatory and legal requirements of capital , fraud prevention);
d) client classification based on MiFID and client profiling;
e) credit assessment;
f) complaint handling;
g) contact you or your representative in connection with your account;
h) mandatory data processing (to prevent money laundering and terrorist financing, to fulfill certain tax obligations, to transmit data to the Central credit Information System or in order to execute international conventions published in domestic laws);
i) other purposes defined in the client contract or in the General Business Conditions published on the bank’s website.

5. Legal grounds for data processing

5.1. Personal data may be processed by the Bank if:
a) the data subject has given his consent;
b) when processing is necessary as decreed by law or by a local authority (in a municipal decree) based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest (hereinafter referred to as “mandatory processing”).

5.2. Other legal grounds
Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary for compliance with a legal obligation pertaining to the Bank as controller or for the purposes of the legitimate interests pursued by the Bank as controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
In case the processing is based on other legal grounds as described in this paragraph, the Bank shall inform the data subject about the legal obligation or the protected interest giving grounds to the processing.

5.3. Where personal data is recorded under the data subject’s consent, the controller shall unless otherwise provided for by law – be able to process the data recorded where this is necessary for compliance with a legal obligation pertaining to the controller, or for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data, without the data subject’s further consent, or after the data subject having withdrawn his consent.

6. Data process

6.1. The rights and obligations of data processors arising in connection with the process of personal data shall be determined by the Bank within the scope specified by the applicable legislation on data processing. The Bank shall be held liable for the legitimacy of its instructions.

6.2. The data processor may not make any decision on the merits of data processing and shall process any and all data entrusted to him solely as instructed by the controller; the processor shall not engage in data process for his own purposes and shall store and safeguard personal data according to the instructions of the Bank.

6.3. Any company that is interested in the business activity for which personal data is used may not be contracted by the Bank for the process of such data.

7. Transmission of personal data

7.1. Transmission of personal data is permitted only with the consent of data subject or it is otherwise allowed by law.
7.2. The Bank based on the written consent of the data subject in order to facilitate a more efficient client service, client classification process, as well as to manage money laundering and other risks and in case of outsourcing may disclose personal data to other DB group members as well as to the outsourcee as provided for by the General Business Conditions and the specific contracts entered into with the client.
7.3. Personal data may be transmitted by the Bank to a data controller or processor operating in a third country if the data subject has given his explicit consent, or the conditions laid down in Section 5 and Section 6 of data protection act are satisfied and the adequate level of protection of the personal data have been ensured in the third country during the course of the control and processing of the data transferred. Data transmission to EEA member states shall be deemed as if it the data was transmitted within the territory of Hungary.

8. Rights of data subject, enforcement

8.1. Data subject may request
a) information on his personal data being processed;
b) the rectification of his personal data;
c) the erasure or blocking of his personal data, except where processing is rendered mandatory.

8.1.1. The rights of data subject described in section 8.1. may be restricted by law.

8.1.2. The data subject as well as every recipient to whom the data was transmitted before shall be notified about the rectification, the blocking, and the erasure by the Bank. Notification may be omitted if it does not violate the rightful interest of the data subject in light of the purpose of processing.

8.1.3. If the Bank refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing or, on the consent of the data subject, through electronic communications within 25 days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or filing a complaint with the Authority.

8.2. Right to be informed

8.2.1. Upon the data subject’s request the data controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his notice, the sources from where they were obtained, the purpose, legal grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and the conditions and effects of the data incident and measures taken with a view to eliminate them and – in case of data transmission – the legal basis and the recipients.

8.2.2. The information shall be given free of charge for every category of data once a year. Additional information concerning the same category of data may be subject to a charge. Where any payment is made in connection with data that was processed unlawfully, or the request led to rectification, it shall be refunded.

8.2.3. The Bank may refuse to provide information to the data subject in the cases defined by Data Protection Act.

8.3. Rectification of personal data
8.3.1. Where a personal data is deemed inaccurate, the data controller shall rectify the personal data in question either at the request of data subject or in case the correct personal data is at the controller’s disposal without the request of data subject.

8.3.2. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.

8.4. Deletion of personal data
8.4.1. Personal data must be deleted if:
a) it is being processed unlawfully;
b) so requested by the data subject – except in case of mandatory processing;
c) incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;
d) the purpose of processing no longer exists or the legal time limit for storage has expired;
e) so ordered by court or by the Authority.

8.5. Blocking of personal data
8.5.1. Personal data shall be blocked instead of erased
a) if so requested by the data subject or
b) if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject.
8.5.2. Blocked personal data may be processed as long as the purpose which prevented their erasure exists.

8.6. Objection to data processing
8.6.1. Data subject shall have the right to object to the processing of personal data relating to him in the below listed cases:
a) if processing or disclosure is carried out solely for the purpose of fulfillment of the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.

8.6.2. In the event of objection, the controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period of receipt of request, adopt a decision as to merits and shall notify the data subject in writing of its decision. In case the Bank agrees with the request it shall terminate all processing operations (including data collection and transmission), and block the data involved and notify all recipients to whom any of these data concerning the objection had previously been transferred and who are obliged to take the necessary measures regarding the enforcement of the objection.

8.6.3. If the data subject disagrees with the decision taken by the Bank or if it fails to meet the deadline specified in the above section, the data subject shall have the right to turn to court within thirty days of the date of delivery of the decision or from the last day of the time limit.
8.7. Compensation for damages, restitution
8.7.1. The Bank shall be liable for damages caused to anyone by unlawful processing or by breaching data security rules. Furthermore, the Bank shall be liable for the damages caused by the data processor to the data subject.
8.7.2. If the data controller, by unlawful data processing or by breaching data security rules, violates the personal rights of the data subject, the latter may demand restitution from the data controller. The Bank shall also pay restitution to the data subject for the damages caused by the data processor by violating the personal rights of data subject.
8.7.3. The Bank shall be released from liability for damages and from paying restitution if it demonstrates that the damage or the violation of personal rights were brought about by reasons beyond its data processing activity. No compensation shall be paid and no restitution shall be demanded where the damage or the violation of rights was caused by intentional or serious negligent conduct on the part of the aggrieved party or the data subject.

9. Information on Data processing

9.1. Providing information to data subject
9.1.1. Prior to data processing being initiated the data subject shall be informed whether his consent is required or processing is mandatory. Furthermore he shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, in particular of the following:
a) purpose and legal grounds of data processing;
b) the person entitled to data processing and data process;
c) the duration of data processing;
d) the persons to whom his personal data may be disclosed;
e) if the data subject’s personal data is processed or the purpose described in section 5.4.;
f) rights and remedies of data subject relating to data processing.

9.2. Publication of information on data processing
9.2.1. If the provision of personal information to the data subject proves impossible or would involve disproportionate costs, the Bank discloses the information on its website.
9.2.2. In case of mandatory processing the information defined in section 9.1. may be provided by the publishing of reference to the legislation containing the necessary information on the Bank’s website.


10. Certain data processing and transmissions

10.1. Complaint handling
All personal data collected in connection with complaint handling is processed for 5 years.

10.2. Call recording
10.2.1. The bank may record and store its telephone conversations with the data subject for complaint handling, settlement and security purposes. In case of complaint made over the phone the Bank stores the audio recording for 5 years. In other cases for the period of time provided for by the relevant legislation.
10.2.2. The Bank shall assure the rehearsal of the record of the call as well as it shall provide the data subject with the minutes of the recorder call free of charge on data subject’s demand.

10.3. Transmission of data to the Central Credit Information System (CCIS)

10.3.1. As provided for by Act CXXII of 2011 on the central credit information system, the Bank shall provide certain personal data to the central credit information system (hereinafter referred to as CCIS).
10.3.2. The purpose of the processing of the data stored in the CCIS is to provide reliable and up-to-date credit information to players in the Hungarian financial sector to facilitate prudent lending
10.3.3. A more detailed information about data transmission to the Central Credit Information System can be found in the General Business Conditions, as amended from time to time.

10.4. Obligations under FATCA
The Bank under Section 288/A-288/B in the Bank Act and the Act XIX of 2014 on Agreement Between the Government of Hungary and the government of the United States of America to improve International Tax compliance to Implement Fatca (hereinafter referred to as ’FATCA’) shall transmit certain personal data to the National Tax and Custom Administration Authority (‘Tax Authority’) as provided for in Section 43/B-43/C in Act XXXVII of 2013 on Certain Rules of International Public Administration Cooperation Related to Taxes and Other Public Duties (hereinafter referred to as: “Tax Cooperation Act”, or “TCA”). The Tax Authority under Section 43/D in Administrative Cooperation Act shall transmit the data received from the Bank to the competent authority of the United States of America as defined by FATCA. For more information on FATCA please click on the following link:

10.5. Obligations under CRS
Under Section 288/C-288/D in Bank Act, and under Section 43/H in Tax Cooperation Act the Bank shall transmit certain personal data to the Hungarian Tax Authority who forwards these data to the competent authority of a member state of the European Union or any other country. For more information on CRS please click on the following link:

10.6. Processing of personal data provided through electronic communications with the Bank
10.6.1. The Bank monitors its employee’s communication taking place through any electronic devices (’electronic communication’) according to paragraph 1-2 in Section 11 of the Labor Act. By doing so the Bank records the electronic communication of it employees including any communication taking place between a Bank employee and any external person (data subject).
10.6.2. The aim of the monitoring and the recoding of the communication is to filter any communication that violates the law or internal policies relevant in terms of criminal law or regulatory supervision; to detect any violation of laws and regulatory requirements, or mandatory policy provisions applicable to financial and / or investment service providers (in particular leakage of business, securities or bank secrecy or of confidential or non-public price sensitive information) as well as to comply with obligation to provide information to regulatory authorities upon their request.
10.6.3. The above mentioned legal and regulatory requirements include, in particular, the obligations under

  • Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation);
  • Act CCXXXVII of 2013 on credit institutions and financial enterprises, regarding bank secrecy;
  • Act CXXXVIII of 2007 on investment firms and commodity dealers and the rules of their operating conditions, regarding security secrecy;
  • Articles 16(6)-(7) and (11) of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (‘MiFID II’), Articles 72-76 of the Commission Delegated Regulation (EU) supplementing Directive 2014/65/EU, as well as the Hungarian laws implementing the Directive;
  • Sections 14 and 20a of the German Securities Trading Act (Wertpapierhandelsgesetz).

10.6.4. The communication is recorded and processed by a data processor assigned by the Bank (Hewlett-Packard Limited, Amen Corner, Cain Road, Bracknell, Berks RG12 1HN, and Autonomy House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, UK) in a dedicated data repository called ’Digital Safe’. The data is retained and processed by the Bank in the Digital Safe for the period determined by the applicable record retention requirements, but maximum for 10 years. In case the purpose of data processing requires a longer period of time (as an example, in case of an ongoing investigation by an authority) the length of retention time can be prolonged for the period justified by the purpose of such data processing.
10.6.5. For the above reason and in the above cases, the Bank’s management, the persons appointed by the management (including the direct supervisor of the employee, members of the Compliance, Legal, Human Resources and Internal Audit departments) as well as external legal and other professionals mandated by the Bank are entitled to examine the content of the messages sent and the content of communication taking place through electronic devices. In the course of the examination, persons associated with Deutsche Bank Group’s non-European entities may also inspect the electronic communications in order to perform their control responsibilities.

Budapest, 11th November 2016

Deutsche Bank AG Hungary Branch

Footer Navigation:
Last update: February 7, 2017
Copyright © 2017 Deutsche Bank AG, Frankfurt am Main