Privacy information for our website

The controller, within the meaning of the General Data Protection Regulation as well as in accordance with other data protection laws, is

DZ HYP AG

Hamburg office
Rosenstrasse 2, 20095 Hamburg
PO Box 10 14 46, 20009 Hamburg
Germany
Telephone: +49 40 3334-0

Munster Office
Sentmaringer Weg 1, 48151 Munster
Germany
Telephone: +49 251 4905-0

E-mail: info@dzhyp.de

You can also reach our Data Protection Officer at the postal address above, or via

Telephone: +49 40 3334-2311
E-mail: datenschutz@dzhyp.de

Our Deputy Data Protection Officer has - with the same postal & email address - the following telephone number:
Telephone: +49 40 3334-3626

Each time you access our website, our system automatically records data and information from your computer system. Specifically, the system collects the following data as part of this process:

• information about the browser type and version used;
• the user's operating system;
• the user's IP address;
• date and time of access.

We collect this data in order to safeguard the functional capability of our website, and – in the event of attacks on our internet presence – in order to be able to gather indications for countermeasures, or to secure evidence for any criminal prosecution. Data in the log files will be deleted after 31 days following collection, unless it must be retained for a period of two years under a legal obligation in exceptional cases (upon occurrence of a security incident). The legal basis for processing this data is our overriding legitimate interest pursuant to Article 6 (1) f GDPR, as well as the legal obligation (if applicable) under Article 6 (1) c GDPR in conjunction with section 25a of the German Banking Act (KWG).

You can use the contact form on our website to send a message to us. When using the contact form, we will process the contents of your message (in addition to the personal data set out under 1. above):

• first name, surname, subject, e-mail, message (mandatory fields);
• company and telephone number if applicable (optional fields).

Your message to us will be transmitted using end-to-end encryption, without any possibility for third parties to access the message. We will accept and acknowledge the contents of your message with your consent in accordance with Article 6 (1) a GDPR. We will retain your message for a period of six months following processing, and will delete the message thereafter – unless a longer retention period is required, for statutory or contractual reasons, given the contents of the message or its context.

On our website, we use the "Friendly Captcha" service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha GmbH acts as our data processor. Friendly Captcha is a privacy-friendly protection solution designed to make it more difficult for automated programmes and scripts (so-called "bots") to use our website. Friendly Captcha thus protects our website from misuse.

a. How it works

We have integrated a program code from Friendly Captcha ("protection software") into certain areas of our website (e.g. in a contact form). This causes the visitor's device to establish a connection to the Friendly Captcha servers in connection with the protected area (e.g. when submitting a contact form).

The visitor's browser receives a calculation task from Friendly Captcha. The complexity of the calculation task depends on various risk factors. The visitor's device solves the calculation task, which uses certain system resources, and sends the calculation result to our web server.

This contacts the Friendly Captcha server via an interface and receives a response indicating whether the puzzle has been solved correctly by the end device. In addition, the visitor's browser transmits the connection data, environmental data, interaction data and functional data specified in more detail below to Friendly Captcha (for information on the data, see section d.). Friendly Captcha evaluates this data and determines how likely it is that the user is a human or a bot and sends us the result. Depending on this, we can treat access to our website or individual functions as human or potentially machine-generated.

b. Purpose of use

All data mentioned is used exclusively for the above-described detection and handling of potential bots and risks. The purpose of processing is therefore to ensure the security and functionality of our website. We do not use the data to identify a natural person or for marketing purposes.

c. Storage period

If personal data is stored, it will be deleted within 30 days.

d. Processed data

The following data is processed exclusively for the security purposes mentioned above.

Connection data:

• HTTP request data, i.e. data that is generated each time a website is accessed (e.g. user agent, browser type, operating system) and referring website, protocols and ports used.
• IP address: IP addresses are only stored by Friendly Captcha in hashed (one-way encrypted) form and do not allow us or Friendly Captcha to identify individual users.
• Connection exchange data: Technical information about how a connection was established between the browser and the Friendly Captcha server.
• Network statistics, e.g. bandwidth

Environment data:

• Browser properties and settings (e.g. preferred language, installed fonts, local time)
• Device data (e.g. available memory, screen resolution, operating system)
• Technical data on program code execution (e.g. error codes, browser events)

Interaction data:

• Times, frequencies and statistics of keystrokes, but without allowing any conclusions to be drawn about specific text entries, e.g. by only taking functional keys such as Enter or Delete into account.
• Scroll and mouse movements
• Window adjustments, e.g. resizing

Functional data, e.g.:

• Version, status and configuration data of the protection software
• Software components used
• Random identifiers (e.g. session ID)
• Technical counters (e.g. number of repeated connection attempts)
• Data for executing program code
• Solutions to the calculation tasks

The following data is stored in the browser's session storage only for the duration of the browser session and is absolutely necessary to ensure the security of the website: A random session ID, the number of times the protection software modules have been loaded, the number of requests and repeated connection attempts, and the solutions to the arithmetic problems and their solution context.

We do not use HTTP cookies and we do not store any data in the browser's persistent memory.

e. Legal basis in accordance with the GDPR

Insofar as data is personal, the legal basis for processing is our legitimate interest in protecting our website from misuse by bots, including spam protection and protection against attacks (e.g. mass queries), Art. 6(1)(f) GDPR.

f. Data recipients

Friendly Captcha acts as our processor in accordance with our instructions and for the specified purpose. Friendly Captcha uses hosting services provided by Hetzner Online GmbH, based in Germany, and SCALEWAY S.A.S, based in France, for hosting and delivering content.

On our website ‘Meine Baufinanzierung’, private borrowers can obtain information and submit requests to us to adjust the data relating to their loan. The following personal data is processed in this context:

• Identification data relating to the loan (loan number, first name, surname, borrower)
• Personal data (first name, last name, email address, telephone number, support status, contact details of the person submitting the application)
• Data relating to the request (subject, loan details, property details, personal data)
• Verification documents (identity card, support card)
• Documents relating to the request (contracts, images, architectural drawings, invoices, etc.)

The receipt and acknowledgement of the data entered by us and the processing of personal data is based on Art. 6 (1a) GDPR with your consent or for the fulfilment of an existing contract with you / implementation of pre-contractual measures in accordance with Article 6 (1b) GDPR exclusively for the purpose of processing your request. Your message will be stored by us for a further 6 months after processing and then deleted, unless a longer storage period is required for legal or contractual reasons based on the content of the message or the further context.

The transfer of your data to us is encrypted throughout using current security standards, without the possibility of access by third parties.

Your entries are not temporarily stored in ‘Meine Baufinanzierung’ at any time. The data you enter is transmitted directly and in encrypted form to the relevant systems or service providers. DZ HYP AG uses the contract processor Ratiodata SE, Gustav-Stresemann-Weg 29, 48155 Münster, for the technical implementation of ‘Meine Baufinanzierung’’.

This processor is contractually obliged to process the personal data transmitted to it exclusively for the purposes specified by us and in accordance with our instructions (Article 28 GDPR). The processor is also obliged to take appropriate technical and organisational measures to protect personal data. The processor does not process or pass on the data independently.

In order to continuously optimise our ‘Meine Baufinanzierung’’ service and make it more user-friendly, we evaluate how users interact in the individual process steps. In doing so, we record, for example, at which points application processes are interrupted or users linger unusually long. This information helps us to identify and improve possible structural or content-related obstacles. In addition, we evaluate which search terms are entered and whether matching results are displayed for these search queries. The aim of this evaluation is to make existing content easier to find and to identify and close potential information gaps.

This data is processed on the basis of our legitimate interest pursuant to Article 6 para. 1f GDPR in the continuous improvement and further development of our online offering. The evaluation is pseudonymised; no conclusions are drawn about individual users. For information on the storage of technically necessary data and the use of cookies and similar technologies, please refer to the following provisions of this privacy policy.

Further information on the processing of your personal data and your rights can be found in the general ‘Data Protection Information for the Processing of Personal Data of Private Customers’ on this website.

We have placed links to services such as Google Maps, Youtube, etc. in various places on our website for ease of use, to offer additional services, and to facilitate the use of social media services. The following statements and policies apply to such links:

1. Technically, we have placed links or embedded the relevant media on our website in such a way that the respective providers cannot collect or use any personal data when our website is called up.
2. If you decide to actively launch or use such services, you will be notified that personal data will be transferred to the service provider as a consequence of using the respective service, and you will be requested to approve transfer of the corresponding data.
3. Collection and processing of personal data by such providers will take place outside our website; we do not have any detailed knowledge concerning the type, scope and methodology of such processing.
4. An overview of services or providers which are accessible via our website is provided below, together with a link to their respective privacy policies:
   1. LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (privacy policy: https://de.linkedin.com/legal/privacy-policy?)
   2. Youtube and Google Maps are services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (privacy policy: https://policies.google.com/privacy)
   3. Kununu is a service provided by New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany (privacy policy: https://privacy.xing.com/en/privacy-policy)
   4. Instagram is a service provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (privacy policy: https://privacycenter.instagram.com/policy/)
   5. Spotify ist a service provided by Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden (privacy policy: https://www.spotify.com/de/legal/privacy-policy/) 

(Updated as at 1 Dec 2023; we accept no responsibility regarding correctness and up-to-dateness)

On our website, we use the service walls.io provided by Walls.io GmbH, Schönbrunner Straße 213/215, 3rd floor, 1120 Vienna, Austria (“walls.io”).

This service allows us to aggregate content from various social media platforms and present it on our website. You also have the option of sharing the content displayed via the services of the respective social media providers after clicking on it. This is done on a voluntary basis and subject to the terms and conditions of the respective social media provider. When you access content on the social wall, information about your use of our website and your IP address is transmitted to walls.io. This data is processed exclusively for the purposes mentioned above and to maintain the security and functionality of walls.io.

The use of the service is based on our legitimate interests, i.e., interest in platform-independent provision of content, in accordance with Article 6 (1) f GDPR.
Further information can be found in the privacy policy for walls.io: https://walls.io/privacy.

We avoid using cookies on our websites as a matter of principle. To the extent that cookies are used, such cookies are exclusively and strictly necessary for technical operation of the website; no personal data is processed in this connection.

Like other providers, we collect data in order to analyse use of our websites, with a view to improving our offer through the insights gained. The software we use for this purpose is Matomo (www.matomo.org), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. Matomo does not compile the necessary data from log files or cookies. Data collected using Matomo technology (including parts of your IP address) is processed on our servers in anonymised form.

1. you have the right of access to your personal data (Article 15 GDPR);
2. you have the right to rectification (Article 16 GDPR) or erasure (Article 17 GDPR) of personal data, and to demand restriction of processing of your personal data until a decision on rectification or erasure has been taken (Article 18 GDPR);
3. you have the right to object to processing of your data on the grounds of our overriding legitimate interests (Article 21 GDPR); and
4. you may lodge a complaint about our processing of data, to ourselves or to a supervisory authority, if you believe that processing of your personal data constitutes a breach of the GDPR or data protection laws of the Federal Republic of Germany or the German Federal states (Article 57 (1) f GDPR).

To assert your rights, please contact the persons identified under I. above (controller and Data Protection Officer, respectively). We will be pleased to respond. Please note that we will only be able to provide information if we can identify you as the owner of the data concerned, with sufficient certainty. Therefore, please provide us with appropriate information in advance if possible.