Data protection information for visitors to our website
Please be aware that this data protection information does not cover our software products (in particular Aareal Portal and Aareal Account Tenancy Bonds).
At Aareal Bank AG, we take the protection of personal data seriously and process such data only in accordance with the applicable legal regulations, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).
In accordance with Article 13 of the GDPR, below we provide you with information on how we process your personal data in connection with your visit to our website and on your rights in this respect.
- Processing of personal data when visiting our website
- Necessary cookies and consent to the use of further cookies
- Processing of personal data when using certain services on our websites
- Web analytics cookies
- Embedded YouTube videos
- Social media integration
- Specifics for using product pages with registration options
- Online consent to changes to terms in client contracts
- Reporting procedure in accordance with the German Supply Chain Due Diligence Act
- JavaScript library
- Contacting us
- Complaints
- Compliance with legal requirements
- Enforcement of rights
- Data controller
- Data Protection Officer
- Rights of the data subject
- Right to lodge a complaint with a supervisory authority
- Passing on information/data
- Third-country transfers
- Duration of storage
- Automated decision-making
- Obligation to provide data
1. Processing of personal data when visiting our website
Whenever you use our website – even if you are not a registered user and do not actively share information with us – we collect the following information:
- Referrer (previously visited website)
- Website or file requested
- Browser type and version
- Operating system used
- Name of internet service provider
- Device type used
- Time of access
- IP address
The time of access and IP address collected in this way are monitored for predefined patterns with a set consisting of client, server and configuration files, based on which IP addresses are identified and, if necessary, temporarily blocked (also known as fail2ban).
The data is processed in order to ensure the functionality of the website. Without this data it would, in some cases, not be technically possible to provide and display the website content. We also use the data for statistical analysis to optimise the website, to protect against misuse and to ensure the security and stability of our systems. This constitutes our legitimate interest. The legal basis for this processing is Article 6(1)(f) of the GDPR. Data may also be processed in order to ensure the initiation or execution of a contract. If the visit to the website is connected with a contract concluded or to be concluded between the data subject and us, the processing is based on Article 6(1)(b) of the GDPR.
The recipients of the above-mentioned data are technical service providers responsible for the operation and maintenance of our websites.
The data is deleted once it is no longer required for the purpose for which it was collected. In the case of data processed to display the website to the user in a given session, this means that the data is deleted once the session has ended. As a general rule, the data in server log files is deleted within 24 hours; if using the website https://portal.aareal.com/, the data is deleted within 36 days. This also applies to any blocked IP addresses.
2. Necessary cookies and consent to the use of further cookies
Some of our websites use cookies. Cookies are small text files that are stored on your device when you visit our website and enable, facilitate or improve the use of our website. Cookies that are absolutely necessary for the functions of our website (necessary cookies) are permitted by law to be stored on your device. For the use of other cookies (e.g. web analysis cookies) we require your consent.
To obtain your consent, we use the Klaro! Consent Manager extension, which is based on the Klaro! Consent Management service provided by KIProtect GmbH (Bismarckstrasse 10-12, 10625 Berlin). When you first visit our website, Klaro! Consent Manager displays a dialogue box (banner) that allows you to give your consent to certain categories of cookies. Your selection, together with other data, is stored encrypted on servers within the European Union for a period of two months for verification purposes (Article 7(1) GDPR).
Your selection is also stored on your device under the name “Klaro” as a (necessary) cookie for a period of two months and automatically taken into account each time you visit our website. However, you can also delete this cookie beforehand via your browser settings.
After two months or after a premature manual deletion of the “Klaro” cookie, you must make a new selection when you visit our website.
Details on the scope of the data collected by KIProtect GmbH and the handling of such data can be found here: https://klaro.org/resources/privacy
3. Processing of personal data when using certain services on our website
If you use certain services on our website, we may process further personal data in addition to that described in sections 1 and& 2. Such further data processing takes place as follows:
a) Web analytics cookies
We use the web analytics tool “Matomo” (formerly “Piwik”) on some of our websites to analyse the demand for content and optimise the content we offer.
Matomo collects the following data:
- Date of access
- Number of actions performed on the website
- Time spent on the website
- Country of origin
- Browser version
- Operating system used
- Number of new and returning visitors
- Referring source
- Conversion rate
- IP address in anonymised form
The version of the Matomo analytics tool we use anonymises the IP addresses, so that users are not identifiable. The analytics tool works by placing two small text files called cookies on your device. It uses “persistent cookies”, which remain saved on your device after your visit. The cookies are set from the domain “aareal-one.com” and are named as follows: _pk_id# and _pk_ses# (the # is replaced with an individual number). The _pk_id# cookie expires after 13 months; the _pk_ses# cookie expires after 30 minutes. These cookies allow us to recognise visitors who return to our website, create anonymous user profiles to improve the user-friendliness of the website, determine an approximate geographical location, correct errors on the website and improve the service. The legal basis for the processing of personal data by Matomo is Article 6(1)(f) of the GDPR.
If you have consented to the use of web analysis cookies, you can prevent the analysis of user behaviour as a whole for the future by blocking the setting of cookies in your browser by the corresponding domain (aareal-bank.com; gb.aareal-bank.com; nb.aareal-bank.com). Please check the help function of your browser for instructions on how to block cookies.
You also have the option at any time to change your selection of the admissibility of web analysis cookies made for our website via the Klaro! Consent Manager service for the future. To do this, call up the “cookie settings” at the bottom of our website and activate or deactivate the desired cookie categories by setting or removing the respective check marks.
b) Embedded YouTube videos
We have integrated YouTube videos in our online offer. These videos are stored at https://www.youtube.com/ and are embedded in our website using "privacy-enhanced mode". This means that YouTube does not set cookies on your device and that no data about you as a user is sent to YouTube if you do not play the videos. Only when you play the videos are cookies set and the data specified below transmitted. We have no control over this kind of data transfer. You can find more information about the use of cookies in Google's cookie policy at https://policies.google.com/technologies/cookies?hl=en-GB#types-of-cookies
If YouTube stores cookies on your device, your device will transmit them to our website. As a user, you therefore have full control over the use of cookies. You have the option of stopping the use of cookies. To do this, you have to change the settings in your Internet browser (e.g. Internet Explorer, Mozilla Firefox, Opera or Safari). Cookies that have already been stored can be deleted at any time. That can also be done automatically. If you deactivate cookies for our website, it may mean that you cannot use all functions of the website in their entirety.
The following data will be transmitted to YouTube when playing YouTube videos:
- IP address
- Date and time of request
- Address of the webpage visited
- Access status/HTTP status code
- Data volume transmitted in bytes
- Play length of video
- Website from which the request originated (link)
- Browser used
- Operating system and its interface
- Language and version of the browser software
This data will be sent, irrespective of whether you log in to YouTube via your user account or whether you even have a user account. If you are logged in to Google, your data will be directly matched to your account. If you do not wish your data to be associated with your YouTube profile, you need to log out before clicking on the relevant button. YouTube saves your data as a user profile and uses it for advertising, for market research and/or to tailor the design of its website to the needs of users. You have the right to object to the creation of these user profiles; you can contact YouTube to exercise this right.
Google's privacy policy contains further information on the purpose and extent of the processing of user data by YouTube. Visit https://policies.google.com/privacy?hl=en-GB&gl=de for more information about your rights and the various settings to protect your privacy.
Google also processes your personal data in the US and has committed to complying with the Data Privacy Framework programme: https://www.dataprivacyframework.gov/
c) Social media integration
Content from our social media channels is integrated into our websites using the Flockler plug-in (flockler.com) provided by Relay Commerce, Inc. (1201 W Peachtree St NW Ste 2625 #36051, Atlanta, USA). Content is displayed only once you have given your consent. The legal basis for this is Article 6 (1) (a) GDPR.
Relay's privacy policy contains further information on the purpose and extent of the proces-sing of user data: https://www.relaycommerce.io/privacy-policy
d) Specifics for using product pages with registration options
We market specific products on certain web pages; you have the option of accessing further information by registering. Currently, these websites are:
- https://aak.aareal-bank.com/
- https://kautionen.aareal-bank.com/login
- https://kautionsverwaltung.aareal-bank.com/
- https://service.aareal-bank.com/
Following your consent, you may, for example, initiate a callback, or register to use product test systems or to participate in webinars.
As part of targeted advertising campaigns, we may send personalised postal or electronic advertising to corporate clients. Users can access personalised product pages through a code in the relevant advertising. Whenever a product page is called up, this will be recorded and the tracking information will be added to the existing data.
We use a "double-opt-in" procedure to process your registration. This means that, when you register, we send an email asking for your confirmation that we may contact you via the selected communication channel and send you further product information. If you do not confirm your registration, we may contact you again by email. In addition, we store your IP addresses as well as the registration and confirmation times. This serves as evidence of your registration and to clarify any misuse of your personal data.
Your name and email address are mandatory if you wish to register for the above services, as is your telephone number in case you would like to be called back. The disclosure of additional, separately marked data, such as the name and size of your company, is voluntary. This information is used to inform you in the most appropriate manner about products that fit your business purpose. Once we receive your confirmation, we store your email address to launch the services that you have selected. The legal basis for this approach is Article 6 (1) (a) GDPR.
If you request a binding quotation via one of the product pages, the additional information necessary to prepare the offer will also be marked as mandatory fields. Once we receive your confirmation, we store your information to launch the services that you have selected. The additional legal basis is Article 6 (1) (b) GDPR.
The recipient of the aforementioned data is our service provider SAP Deutschland SE & Co. KG, Hasso-Plattner-Ring 7, 69190 Walldorf.
You can revoke your consent to the storing of your personal data at any time. To do so, please email your revocation to sales(at)aareal-bank.com or address it to the contact details in the legal notice on the website.
Please note that we analyse your user behaviour in connection with the above services. For this purpose, emails contain web beacons or tracking pixels, which are single-pixel image files stored on our website. For our analysis, we link the above data and web beacons to your email address and an individual ID. Using the data obtained in this manner, we create a user profile to be able to outline our offer to you in line with your specific interests. We record the times when you read any content on our website and track the links you click on, which may trigger further steps, such as sending you an access code for a product testing system or contacting you by telephone.
If we process your data when providing test access, this data will be deleted once the conversation with the user ends and no other recognised legal basis (in particular statutory retention or archiving obligations) permits further processing. You will receive more details of processing as part of test access when you set up the test access.
e) Online consent to changes to terms in client contracts
We offer our clients the option to agree to changes to terms and conditions electronically. This not only saves resources and protects the environment, but also makes it easier for our clients to give their consent. For this purpose, we use an online solution operated by finone GmbH (Stephanstr. 3, 60313 Frankfurt am Main). finone GmbH acts as our processor and processes personal data in accordance with our instructions.
Initially, the technical data required to provide the online solution, such as the IP address, is processed. If consent is given, the data actively entered by our clients and a time stamp will also be processed.
This personal data is processed to allow us to provide our clients with an online solution, to evidence our clients' consent, to prevent misuse and to ensure the security of the systems in use. This is also our legitimate interest (Article 6 (1) (f) GDPR).
All persons who make use of the option to provide their consent electronically via the afore-mentioned online solution are affected by this processing.
The personal data collected for the purpose of accessing the content will be deleted after the end of the session. All other data that serves as proof of consent will be deleted after the end of the contractual relationship unless another legally recognised legal basis (in particular statutory retention or archiving obligations) permits further processing.
f) Reporting procedure in accordance with the German Supply Chain Due Diligence Act
We provide the option to make reports to us in accordance with the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG). We have set up our systems in such a way that reports can be made anonymously. If you send us personal data when making reports, this data is processed in strict confidentiality on a need-to-know basis. This means that, within the Bank, only those departments that need your data to process y-our report and fulfil the Bank's legal obligations have access to the data collected in connection with the report.
When reports are made via our reporting channel, the personal data sent by the reporting person is processed by our subprocessor People intouch B.V. (Olympisch Stadion 6, 1076 DE Amsterdam, The Netherlands). The reporting channel is used to collect and forward the information to the persons responsible internally. When reports are made by telephone, the spoken word is converted into text and made available to us in written form. In certain cases, personal data may be passed on to investigative or supervisory authorities if there is a legal obligation to do so. Otherwise, the identity of the reporting person will be disclosed (including within the Bank) only if the relevant consent has been obtained.
The data provided to us is processed to allow us to handle the report and take any follow-up measures. The legal basis for processing is Article 6 (1) (c) GDPR in conjunction with section 8 LkSG.
Additional processing of personal data carried out in the context of establishing contact serves to prevent misuse of the contact options and to ensure the security of our systems (Article 6 (1) (f) GDPR).
All persons who disclosed their identity when submitting a report or who were named by the whistleblower as part of the report are affected by this processing. No transfer of data to a third country is planned; however, data may be transferred to individual group companies under the above-mentioned conditions in individual cases for reports with a foreign connection. If data is transferred to a third country, the transfer is carried out exclusively in accordance with the GDPR (in particular Article 44ff. GDPR). If data is transferred to third countries without an adequacy decision by the EU Commission, we take additional protective measures, e.g. by concluding standard data protection clauses.
The personal data collected as part of a report is deleted as soon as the respective report has been processed and no other legally recognised legal basis (in particular statutory retention or archiving obligations) permits further processing. The statutory retention period for report documentation is seven years.
g) JavaScript library
We use the jQuery JavaScript library for the operation of our website. This library is hosted on our servers. Data is transferred only between your device and our servers.
h) Contacting us
Within our online service, you have the option to contact us via a form, by telephone or by email.
If a user contacts us via the contact form, the data provided in the respective form as well as the following data is processed:
- Date and time of sending
- IP address of the connection from which the form was sent
- Address of the page on which the contact form appears.
Mandatory information is indicated on the forms. We cannot process your enquiry without this data.
It is also possible to contact us using the email address provided or by telephone. In this case, the data provided by the contacting person will be stored.
If contact is made to obtain further information about our products, the data entered or information provided may be forwarded to companies appointed by us to respond to individual enquiries. Currently, this may be First Financial Software GmbH, Isaac-Fulda-Allee 6, 55124 Mainz and plusForta GmbH, Talstrasse 24, 40217 Düsseldorf.
The data provided to us is processed to allow us to handle your enquiry. This also constitutes our legitimate interest.
Additional data processing carried out in the context of establishing contact serves to prevent misuse of the contact options and to ensure the security of our systems.
The legal basis for the processing of data transmitted in the context of establishing contact is therefore Article 6 (1) (f) of the GDPR. If contact is made for the purpose of concluding a contract, the additional legal basis is Article 6 (1) (b) GDPR. In the case of complaints, and reports pursuant to the German Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG) and the LkSG, the additional legal basis is Article 6 (1) (c) GDPR.
All persons who contact us via the aforementioned communication channels are affected by this processing. No transfer of data to third countries is planned.
The data will be deleted as soon as the respective conversation with the user has ended and no other legally recognised legal basis (in particular statutory retention or archiving obligations) permits further processing. The conversation has ended when the circumstances show that the matter has been conclusively resolved.
i) Complaints
If you submit a complaint to us, we will process the personal data that we receive from you in connection with your complaint. If you submit a complaint via the contact form on our website, this data will comprise, as a minimum:
- Title
- First name
- Last name
- Email address
- Date and time of sending
- IP address of the connection from which the form was sent
- Address of the page on which the contact form appears.
We process this personal data for the purposes of handling your complaint as part of a contractual relationship in accordance with Article 6 (1) (b) GDPR, to comply with legal obligations in accordance with Article 6 (1) (c) GDPR or based on your consent in accordance with Article 6 (1) (a) GDPR.
Within the Bank, the departments that gain access to your data are those departments that need the data to handle your enquiry or to meet our legal and regulatory obligations. Service providers and vicarious agents employed by us may also receive data for the aforementioned purposes if they observe banking secrecy and our written data protection instructions. In particular, these are companies in the categories of banking services and IT services.
Moreover, we disclose information about you only if statutory or supervisory law obligations compel us to do so. Subject to these requirements, recipients of personal data may also be public bodies and institutions, such as Deutsche Bundesbank, the German Federal Financial Supervisory Authority, the European Banking Authority and the European Central Bank.
We process and store your personal data for as long as is necessary for the aforementioned purposes. The data will be deleted as soon as the handling of the respective complaint has been completed and no other recognised legal basis (in particular statutory retention or archiving obligations) permits further processing. The handling of a complaint has been completed when the circumstances show that the matter has been conclusively resolved.
j) Compliance with legal requirements
We also process your data to comply with our other legal obligations in connection with your use of our services. In particular, these include retention obligations.
The legal basis for this processing is Article 6 (1) (c) in conjunction with the respective specific legal bases. The data storage period is based on the respective specific legal bases.
k) Enforcement of rights
We may also process your data for the assertion and enforcement of our rights and legal claims. We likewise process your data to allow us to defend ourselves against legal claims. Finally, we process your data where this is necessary for the defence or prosecution of criminal offences. The legal basis for this is Article 6 (1) (f) GDPR insofar as we establish legal claims or defend ourselves in legal disputes, or we prevent or investigate criminal offences.
4. Data controller
The controller as defined in the GDPR is:
Aareal Bank AG
Paulinenstr. 15
D-65189 Wiesbaden
Tel.: +49 (0) 611 348-0
Fax: +49 (0) 611 348-72217
You can also contact us via our contact form.
You can also find more information about us in our legal notice.
Please note that our websites contain links to third-party websites. We are not responsible for these linked third-party websites; they are the responsibility of the respective third-party con-troller within the meaning of the GDPR. Before using such third-party websites, please review the data protection information provided on the respective website to find out how the third party processes your data.
5. Data Protection Officer
Our data protection officer can be contacted as follows:
Data Protection Officer
c/o Aareal Bank AG
Paulinenstr. 15
D-65189 Wiesbaden
Email: datenschutz(at)aareal-bank.com
6. Rights of the data subject
With respect to the processing of your data, under the respective legal requirements you have the right,
- according to Article 15 of the GDPR, to request information from us about your data that we process as well as other specific information;
- according to Article 16 of the GDPR, to request the immediate rectification of incorrect data and the completion of incomplete data stored by us;
- according to Article 17 of the GDPR, to request the deletion of data stored by us if there are grounds for deletion and we do not have a right or obligation to retain the data;
- according to Article 18 of the GDPR, to request the restriction of processing of your data;
- according to Article 20 of the GDPR, to receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request the transmissi-on of the data to another controller (data portability).
Right of revocation
If your data is processed based on your consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, you may, pursuant to Article 7(3) GDPR, revoke your consent at any time without providing a reason. Please note that the revocation does not affect the lawful-ness of the processing carried out prior to consent being withdrawn.
Right to object
If your data is processed based on Article 6(1)(e) GDPR (public interest) or Article 6(1)(f) GDPR (safeguarding legitimate interests), you have the right, pursuant to Article 21(1) GDPR, to object, on grounds relating to your particular situation, at any time to the processing of personal data. If you object, we will no longer process your data, unless we can provide compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to establish, exercise or defend legal claims.
You can assert any of the rights outlined in this section 6 – including the right of revocation and the right to object – in any format. To do so, please contact us using the contact details provided in section 4.
7. Right to lodge a complaint with a supervisory authority
If you believe that we have not processed your data in accordance with the legal regulations, you also have the right to lodge a complaint with the relevant supervisory authority. The authority responsible for our company is:
Hesse Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
P.O. Box 3163
65021 Wiesbaden
8. Passing on information/data
Within Aareal Bank AG, your data can be accessed by the departments that need this data for the aforementioned purposes or to perform their other duties and meet their obligations.
It may also be necessary to pass on your data to the service providers we use or to third parties. The service providers appointed by us that receive your data have generally entered into a processing contract with us (Article 28 GDPR) and are strictly required to process the data in line with our instructions.
You can find more information on whether and which third parties may receive your data in the relevant sections on specific processing.
9. Third-country transfers
When you use our website, your data may be transmitted to third countries (countries outside the European Union and the European Economic Area). Such transfers of data take place exclusively on the basis of an adequacy decision by the Commission (Article 45 GDPR) or appropriate safeguards (Article 46 GDPR).
You can find more information on whether and to what extent your data may be transferred to third countries in the relevant sections on specific processing.
10. Duration of storage
We delete your data when it is no longer required for the purposes sought by the processing or for reasons of retention for any queries and when there is no remaining statutory retention obligation or legal basis.
You can find more information on the specific duration of storage or the criteria for determining the duration of storage in the relevant sections on specific processing.
11. Automated decision-making
We create user profiles as part of certain services on our website. You can find more information on whether, how and to what extent (logic, scope, impact) we create user profiles in the relevant sections on specific processing.
Otherwise, we do not process your data for the purposes of automated decision-making or to evaluate personal aspects (profiling).
12. Obligation to provide data
You are not obliged to share your personal data with us. However, if you choose not to do so, you may not be able to use our website at all or to the full extent or we may not be able to process your enquiry or conclude or execute a contract with you. Data that is required in or-der for us to process your request is marked with an asterisk (*).
