Data Privacy Statement

Overview of Personal Data Processing

With the following information we provide you with an overview regarding the processing of your personal data by akf bank GmbH & Co KG, akf leasing GmbH & CoKG and akf servicelease GmbH (hereinafter referred to as “we”, “us”) and your rights under data protection law. Which data are processed in detail and in what manner they are used primarily depends on the respectively requested/agreed services or (financing) agreements.

Please also pass on the information to the current and future authorized representatives and beneficial owners as well as any jointly obliged parties of a service or (financing) agreement whose personal data will also be processed. These groups of persons may include, for example, managing directors, holders of general commercial power of attorney, guarantors or beneficiaries in the event of death.


Who is responsible for data processing and who can be contacted?

Depending on the type of business relationship, the following responsible parties process your personal data:

akf bank GmbH & Co KG
Am Diek 50, 42277 Wuppertal
Managing directors:
Dr. Frank Henes (chairman), Bernhard Ismann, Holger Stuhlmann
Tel.: +49 202 25727-0
Fax: +49 202 25727-1200
E-Mail: info@akf.de

akf leasing GmbH & Co KG
Am Diek 50, 42277 Wuppertal
Managing directors:
Dr. Frank Henes (chairman), Bernhard Ismann, Holger Stuhlmann
Tel.: +49 202 25727-0
Fax: +49 202 25727-1200
E-Mail: info@akf.de

akf servicelease GmbH
Am Diek 50, 42277 Wuppertal
Managing directors:
Holger Büscher, Dr. Frank Henes
Tel.: +49 202 25727-0
Fax: +49 202 25727-1200
E-Mail: info@akf.de

You may reach our company Data Protection Officer at:
akf bank GmbH & Co KG
Am Diek 50, 42277 Wuppertal
– Data Protection Officer –
Tel.: +49 202 25727-3260
E-Mail: datenschutz@akf.de


Which data from which sources do we use?

We process personal data that we receive from you as our customer, your representatives or other parties involved (e.g. guarantors) within the scope of our business relationship. Within the scope of our business relationship, you must provide those personal data which are required for the establishment and execution of a business relationship and fulfillment of the associated contractual obligations or which we are legally obliged to collect. Without these data we will usually refuse conclusion of the (financing) agreement or execution of an order or we will no longer be able to execute an existing (financing) agreement and may have to terminate it. In particular, we are obliged under the provisions of money laundering regulations to identify you prior to establishing the business relationship, for example on the basis of your identity card, and to collect and record your name and place of birth, your date of birth, your nationality and your address. In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with Section 4 Paragraph 6 of the German Money Laundering Act [GwG] (Law on Tracing Profits from Serious Criminal Offences, Money Laundering Act) and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, then we may not establish or continue the business relationship you have requested. In addition, to the extent required for the provision of our services or execution of (financing) agreements, we process personal data that we have legitimately received from our corporate partners or from other third parties (e.g. credit agencies such as Schufa). Finally, we process personal data that we have legitimately obtained from publicly accessible sources (e.g. lists of insolvent debtors, land registers, commercial registers and registers of associations, press, media, Internet).


Which master data do we process?

As master data we process the respective personal data required with regard to an interested party or customer, for a power of attorney (account authorization and/or credit card holder) or for a joint obligation in the case of financing (e.g. guarantor), in particular:

  • name, address/other contact data (telephone, e-mail address),
  • date/place of birth, gender, nationality, marital status,
  • occupational classification/partner type (e.g. dependent / independent), identification data (e.g. ID data), authentication data (e.g. specimen signatures), tax ID, FATCA status, Schufa score, bank data (IBAN, BIC, bank name)

What other data do we process for our services and (financing) agreements?

For the conclusion and execution of services and (financing) agreements from the categories listed in the following, further personal data may be processed in addition to the master data, which usually relate only to customers, but in some cases also to authorized representatives / duly authorized agents or jointly obliged parties.

  • Account and payment transactions / savings and deposits

    Order data (e.g. payment orders), data from fulfillment of our contractual obligations (e.g. payment transaction data, sales), tax information (e.g. information on church tax liability), information regarding possible third-party beneficiaries, direct debit data, documentation data (e.g. minutes of consultation).

  • Financing agreements

    Documents regarding creditworthiness (e.g. voluntary disclosure, income and expenditure as well as assets and liabilities, cash receipts and disbursements and balance sheets, tax documents, information/verifications of assets and liabilities, guarantees assumed, statements of external accounts), employer, type and duration of employment relationship, type and duration of self-employment, number of dependent children, marital status, residence/ work permit for non-EU nationals, scoring/rating data, information/ verifications of intended, personal and third-party collateral, property documents (e.g. land register extracts, property valuations), documentation data (e.g. minutes of consultation), object-specific certificates and documents (e.g. insurance certificates, approval certificates). In the case of personal guarantees by third parties (external collateral), comparable requirements on the respective guarantors for the disclosure of economic and financial circumstances are set.

  • Payment protection and purchase price insurance agreements

    Insurance number, product data (e.g. rate, benefit, contribution), documentation data (e.g. consultation protocols)

  • Customer contact information

    IWithin the scope of the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or by the bank, further personal data, e.g. information on the contact channel, date, occasion and result, (electronic) copies of correspondence as well as information on participation in direct marketing measures are generated.

  • Digital services

    With regard to the data processed when using digital service products, reference is made to further information on data protection in connection with the respective digital service (e.g. akf Ident when using Ident app, service portal, etc.).


What for (for what purpose) and on what legal basis do we process the data?

We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation [GDPR] and the German Federal Data Protection Law [BDSG] for the purposes described in the following on the basis of the legal grounds specified below. The scope of the processing of personal data with regard to individual persons depends on the requirement for the role of the respective person as customer, authorized representative, beneficial owner or jointly obliged party of a financing agreement (e.g. guarantor).

  • for fulfilling contractual obligations
    Article 6 Paragraph 1 b of the EU General Data Protection Regulation [GDPR]

    The processing of personal data takes place – if required – for the provision of banking transactions and financial services within the scope of execution of our agreements with our customers or for the execution of pre-contractual measures which take place at their request. The purposes of data processing are primarily based on the specific service and/or (financing) agreement and, among other things, may include requirements analysis, consulting, asset management and support as well as the execution of transactions. The details of the data processing purposes can be found in the respective contractual terms and conditions.

  • within the scope of a weighing of interests Article 6 Paragraph 1 f GDPR

    If necessary, we process your personal data beyond fulfillment of the agreement in order to protect our legitimate interests or those of third parties. Examples include:

    • consultation and data exchange with credit agencies (e.g. Schufa, Infoscore) to determine creditworthiness and risks of default
    • establishment of legal claims and defense in the case of legal disputes
    • ensuring IT security and IT operation
    • prevention of criminal offences
    • business management measures and further development of products and services
    • risk management

  • based on your consent
    Article 6 Paragraph 1 a GDPR

    If you have given us your consent with regard to the processing of personal data for certain purposes (e.g. advertising or passing on of data in combination), then the legality of this processing is given on the basis of your consent. Any given consent can be revoked at any time – regardless of when it was given – unless this is excluded in the consent itself for legitimate reasons. If, for example, a revocation is contrary to statutory, regulatory or contractual obligations, then we reserve the right to justifiably reject the revocation, but undertake to immediately honor the revocation as soon as the statutory, regulatory or contractual obligations cease to apply. Please note that the revocation will only take effect in the future. Processing that took place prior to the revocation remains unaffected.

  • based on statutory requirements
    Article 6 Paragraph 1 c GDPR or in the public interest
    Article 6 Paragraph 1 e GDPR

    In addition, we are subject to various binding statutory requirements (e.g. German Banking Act [KWG], German Money Laundering Act [GwG], German Securities Trading Law, tax laws) and regulatory requirements (e.g. European Central Bank, European Banking Supervisory Authority, the German Federal Bank and the Federal Financial Supervisory Authority) which require the processing of personal data. The purposes of processing include, among other things, assessments of creditworthiness, identity and age checks, the prevention of fraud and money laundering, fulfillment of tax review and reporting obligations as well as the assessment and management of risks.


Who receives the data?

  • recipients within the company

    Within the company responsible for you, those departments will have access to your data that require them in order to fulfill our contractual and statutory obligations. Within the affiliated companies, numerous technical divisions and functions (e.g. claims management, incoming mail, service center or IT) are centrally organized and are also provided or performed by affiliated companies for other companies. Insofar this involves either transfer in our legitimate interest for internal or efficient administration or on the basis of order processing. The same strict security measures and standards of care apply in all affiliated companies. The following applies in particular:

    • A general application, contract and performance data and/or master data such as name, address data, bank data and their mandate reference (together with the creditor identification number this enables the mandate to be clearly identified), birth data, data with regard to financial circumstances, driving license checks, information on controls for the money laundering check (identification procedure) may possibly be stored only once in a central location, even if you conclude agreements with various affiliated companies, but are, if required, accessible to the employees of various affiliated companies.
    • Specific application, contract and performance data that are only required for the provision of a service or the execution of a (financing) agreement are accessible only to the competent staff of the contracting company.

  • recipients outside of the organisation

    With regard to the transfer of data to recipients outside the company, please note that we may only pass on information about you if required by statutory provisions, if we are authorized to provide banking information or if you have consented to such transfer. In addition, we may pass on data to contractors commissioned by us if they guarantee compliance with the requirements of the EU General Data Protection Regulation / the German Federal Data Protection Law or to service providers and vicarious agents employed by us if they observe our instructions under data protection law in writing and, if required, have signed an agreement with regard to order processing. Under these prerequisites recipients of personal data may be, for example:

    • public bodies and institutions (e.g. German Central Bank, German Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, fiscal authorities, German Federal Central Tax Office) in the event of a statutory or official obligation. For example, reports can be made on suspicion of money laundering or when taking out car insurance through one of our insurance partners. In addition, other insurance-related procedures (e.g. deregistration or change of registration, change of residence) may make it necessary to exchange personal data with authorities (e.g. the vehicle registration office).
    • Credit agencies
    • business partners with whom we conclude services for you or who are involved in the provision of your service or execution of your (financing) agreement and to whom we transfer personal data. This may include in particular: sellers of a financed item, insurers for an insurance selected by you (e.g. in the case of conclusion, change or termination as well as claims processing within the scope of motor vehicle or unemployment insurance, refinancing financial service providers, etc.), who then process your personal data themselves as responsible parties.
    • Other credit and financial services institutions, comparable institutions and other service providers to which we transfer personal data in order to conduct the business relationship with you. In detail, for example, processing of bank information, compliance services (for compliance with statutory, regulatory and contractual requirements), controlling, data screening for anti-money laundering purposes, credit processing service, collateral management, collection, reporting, risk controlling, payment transactions..
    • Service providers that we use as contract processors in accordance with Article 28 GDPR, insofar as they conclude a corresponding agreement and carry out suitable technical and organizational measures to protect your data.
    • Insofar as we are obliged, reports defined within the meaning of the German Money Laundering Act, for example, are sent to central information systems (central office).
    • Other recipients of data may be those entities for which you have given your consent to the data transfer or for which you have exempted us from banking secrecy based on agreement or consent.

Are data transferred to third countries?

Data is only transferred to countries outside the EU or the EEA (so-called third countries) if required for the execution of your orders (e.g. payment orders)

  • if mandatory or prescribed by law (e.g. tax reporting obligations),
  • if it is in our legitimate interest (e.g. to secure refinancing),
  • if such takes place on the basis of consent given by you or within the scope of order data processing.

Insofar as a decision to transfer personal data abroad is taken by us alone, free of statutory, regulatory or contractual requirements, we ensure that the recipients of personal data abroad offer a guarantee for an adequate level of data protection or other data protection guarantees within the meaning of Article 45 of the EU General Data Protection Regulation [GDPR].


How long are the data stored?

We process and store your personal data as long as required for fulfillment of our contractual and statutory obligations. It should be noted that our business relationship is a continuous obligation that may last for several years. If the data are no longer required for the operational fulfilment of contractual or statutory obligations, then they shall be deleted on a regular basis, unless their – temporary –

  • Further processing is required for the following purposes (for which they remain stored as “blocked data”):
  • Compliance with commercial and fiscal retention periods: These include the German Commercial Code, the German Fiscal Code, the German Banking Law, the German Money Laundering Act and the German Securities Trading Law. The periods for storage and/or documentation specified there amount to two to ten years.
  • Preservation of evidence under the statute of limitations. In accordance with Sections 195 ff. of the German Civil Code [BGB], these limitation periods can be up to 30 years, whereas the regular limitation period is three years.

What are the rights of the data subject/customer?

Every data subject, i.e. every natural person whose personal data we process, has the right to access as specified in Article 15 of the EU General Data Protection Regulation [GDPR], the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to limitation of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. The restrictions in accordance with Sections 34 and 35 of the German Federal Data Protection Law [BDSG] (new) apply to the right to access and the right to erasure.
You can address your inquiries (without an order form and free of charge) to our data protection officer. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG). The supervisory authority responsible for us is the North Rhine-Westphalia State Commissioner for Freedom of Information and Data Protection, Kavalleriestraße 2-4, D - 40213 Düsseldorf, https://www.ldi.nrw.de.
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us prior to the validity of the EU General Data Protection Regulation [GDPR], i.e. before May 25, 2018. Please note that the revocation will only take effect in the future. Processing that took place prior to the revocation remains unaffected.


Information about your right to object as in Article 21 of the EU General Data Protection Regulation [GDPR]

  • Right to object on an individual basis

    You have the right for reasons arising out of your particular situation to object at any time to the processing of personal data concerning you, which is based on Article 6 Paragraph 1e of the EU General Data Protection Regulation [GDPR] (data processing in the public interest) and Article 6 Paragraph 1f GDPR (data processing on the basis of a weighing of interests); this also applies to profiling based on this provision within the meaning of Article 4 Paragraph 4 GDPR. If you file an objection, then we will no longer process your personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

  • Right to object to the processing of data for advertising purposes

    In individual cases we process your personal data for direct advertising purposes insofar as you have given us your consent in this regard. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising. If you object to this processing for direct advertising purposes, then we will no longer process your personal data for these purposes. Please note that the revocation will only take effect in the future. Processing that took place prior to the revocation shall remain unaffected.

If our business partners are responsible for processing your personal data, then please contact the data protection officers of these companies directly with regard to your data protection rights.


How do we cooperate with credit agencies?

Within the scope of our contractual relationships with you, we transfer personal data when it comes to applying for, carrying out and terminating this business relationship as well as data about you and third parties (e.g. co-obligated persons, guarantors) with regard to non-contractual or fraudulent behavior, e.g. name, address and date of birth to one or more of the credit agencies engaged by us; in particular

  • SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden
  • infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden
  • Creditreform Wiesbaden Hoffmann & Nikbakht KG, Adolfsallee 34, 65185 Wiesbaden
  • CRIF Bürgel GmbH, Leopoldstraße 244, 80807 München
  • Deutsche Bank AG, Zentrale Auskunftei, 20079 Hamburg
  • Creditsafe Deutschland GmbH, Schreibenhauer Straße 30, 10317 Berlin
  • EURO-Pro Gesellschaft für Data Processing mbH, Lindenhof 1-3, 61279 Grävenwiesbach

Article 6 Paragraph Letter b and Article 6 Paragraph Letter f GDPR provide the legal basis for these transfers. Transfers on the basis of Article 6 Paragraph 1 Letter f GDPR may only take place if required in order to protect our legitimate interests or those of third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The data exchange with SCHUFA also serves to meet statutory obligations to assess the creditworthiness of customers (Section 505a of the German Civil Code [BGB], Section 18a of the German Banking Law [KWG]). The credit agencies process the data received and also use such for the purpose of creating profiles (scoring) in order to provide their contractual partners in the European Economic Area and in Switzerland and, where applicable, other third countries (if an adequacy decision of the European Commission exists for these) with information for, among other things, assessing the creditworthiness of natural persons. More detailed information on the activities of the credit agencies (in particular their data, purposes, legal bases, recipients) can be inspected as follows:


The extent to which we carry out automated decisions or profiling

  • Automated individual decision-making

    As a rule we do not use automated decision-making (within the meaning of Article 22 GDPR) to establish and carry outthe business relationship. Should we use automated procedures in individual cases, then the data subject will be separately informed, insofar as this is required by law.

  • Profiling

    Otherwise, we process your data in part automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

    • We are obliged by law to combat money laundering and fraud. Data analyses (e.g. in payment transactions) are also carried out. These measures also serve to protect you.
    • We use evaluation tools in order to inform and advise you about specific services, etc. These tools make requirements-based communication and advertising possible, including market research and public opinion polling.
    • We use scoring to assess your creditworthiness. The probability with which a customer will meet his or her payment obligations in accordance with the agreement is calculated. The calculation may include, for example, income, expenses, existing liabilities, occupation, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit reporting agencies. Scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values support us in our decision-making and are included in our ongoing risk management.

Stand 01.01.2021