This is a non-binding English language translation of the “Datenschutzerklärung der Chartered Investment Germany GmbH”. The German language “Datenschutzerklärung der Chartered Investment Germany GmbH” is legally binding and is published on https://chartered-opus.com/datenschutz/
Chartered Investment Germany GmbH respects and protects the privacy of its clients and complies with all data protection regulations. What does this mean in plain language when it comes to clients’ personal data?
With the following information, the Institute provides an overview of the processing of the personal data of clients by the Institute and the rights of clients under the German Federal Data Protection Act and the General Data Protection Regulation, respectively. Which data are processed in detail and how they are used depends largely on the services requested or agreed in each case. Clients are also requested to pass on information to current and future authorised representatives and beneficial owners.
1. Responsibility for Data Processing
Responsible body is:
Chartered Investment Germany GmbH
Fürstenwall 172a/6. OG
Tel.: +49 211 93678 25-0
The Institute has the status of an approved and licensed investment service provider by the Federal Financial Supervisory Authority (BaFin) and is subject to the associated auditing and quality requirements.
2. Processing of Personal Data
The Institute processes personal data that it receives from its clients in the course of its business relationship. This is the case if the clients contact the Institute, e.g. as interested parties, applicants or clients and in particular if the clients are interested in the Institute’s products and fill out the deposited contact form, register for online services or contact the Institute by e-mail, telephone or application and use the products and services in the context of an active business relationship. In all these cases, the Institute collects, stores, uses, transmits or deletes personal data.
In addition, to the extent necessary for the provision of the service, the Institute shall process personal data collected by the Institute itself from other third parties (other service providers of the Institute, e.g. contractually bound agents), which it has legitimately received (e.g. as part of the execution of events, for the execution of orders, for the fulfilment of contracts or on the basis of a consent given by the client). On the other hand, the Institute processes personal data that it has legitimately obtained and was permitted to process from publicly accessible sources (e.g. trade and association registers, Federal Gazette, press, media, Internet, land registers).
In certain cases, the Institute collects personal data from potential clients and interested parties.
Where necessary, the Institute also collects personal data from persons who are not directly connected to it and who belong, for example, to one of the following groups of persons:
- Family members
- Legal representatives (authorised representatives)
- Beneficiaries of customers
- Beneficial owners of the customers
- Representative of legal entities
- Employees of service providers or trade partners
(1) Personal data may be collected, processed and stored when products/services are purchased and used.
The Institute processes the following personal data:
- Identity information: (e.g. first and last name, ID or passport number, nationality, place and date of birth, gender, photograph, IP address)
- Contact information: (address, e-mail address and telephone number)
- Control information: (tax identification number, tax status)
- Bank, financial and transaction data: (e.g. bank details (IBAN), money transfers to the customer’s account/deposit, assets, investor profile provided)
- data on habits and preferences: (IP addresses, data on the use of the Institute’s products and services in relation to banking, financial and transaction data, data on interaction between the client and the Institute (visits to the Institute’s website, personal meetings, telephone calls, chat sessions, e-mail traffic, surveys)
- Securities business: information on knowledge and/or experience with financial instruments, risk appetite of the client (MiFID status), information on education and occupation (e.g. level of education, occupation, name of employer, earnings, financial situation, including the ability to bear losses (assets, liabilities, income, e.g. from employment/self-employed work/commercial operation; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), concrete goals/significant concerns in the future (e.g. planned acquisitions, redemption of liabilities), marital status and family situation, tax information (e.g. information on duty to pay church tax), documentation data (e.g. declarations of suitability)
- Interest, currency and liquidity management: information on knowledge and/or experience with interest/currency products/money investments (MiFID status), investment behaviour/strategy (scope, frequncy, willingness to take risks), profession, financial situation (assets, liabilities, income, e.g. from employed/self-employed work/commercial operation; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), concrete goals/significant concerns in the future (e.g. planned acquisitions, redemption of liabilities), tax information (e.g. information on duty to pay church tax), documentation data (e.g. minutes of consultation)
- Client contact information: During the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts, initiated by the client or the Institute, further personal data, e.g. information on the contact channel, date, occasion and result, (electronic) copies of correspondence as well as information on participation in direct marketing measures and details of the interests and wishes of the customers who have expressed these to the Institute
- Recording of calls
Personal data concerning racial or ethnic origin, political beliefs, religious or ideological views, membership of a trade union, as well as genetic data, biometric data for the unique identification of a natural person, health data or data concerning sexual life or sexual orientation are generally not processed by the Institute (unless it is necessary for the payment of church tax or is a copy of the identity card required by the Institute due to obligations arising from money laundering laws). The Institute also does not collect data from children.
(2) When visiting the website en.chartered-opus.com:
When the website of the Institute is accessed, information is automatically sent to the server of the website of the Institute by the browser used on the client’s terminal/computer. This information is temporarily stored in a so-called log file. The following information is collected without the client’s intervention and stored until it is automatically deleted:
- IP address of the requesting computer (or terminal device)
- Date and time of access
- Name and URL of the retrieved file
- Website from which access is made
- The browser used and, if applicable, the operating system of the computer (or terminal device) used and the name of the client’s access provides
This page uses so-called web fonts for the uniform display of fonts. Provider of this service is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you access the site, your browser loads the web fonts you need into its browser cache to display text and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers. This gives Google knowledge that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a uniform and appealing presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
If your browser does not support web fonts, a standard font will be used by your computer.
We have integrated the component Google Analytics (with anonymisation function) on our website. Google Analytics is a web analytics service. Web analysis is the collection, collection and evaluation of data on the behaviour of visitors to Internet sites. A web analysis service collects, among other things, data about which website you came from (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is mainly used to optimize a website and for cost-benefit analysis of Internet advertising.
The Google Analytics component is operated by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
We use the addition “_gat._anonymizeIp” for web analysis via Google Analytics. By means of this addition, Google shortens and anonymizes the IP address of your Internet connection when you access our Internet pages from a member state of the European Union or from another state party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information collected to evaluate the use of our website, among other things, to compile online reports for us that show the activities on our website and to provide other services in connection with the use of our website.
Google Analytics places a cookie on your information technology system. We have already explained to you above what cookies are. By setting the cookie, Google is enabled to analyse the use of our website. Each time you visit a single page of this website operated by us, on which a Google Analytics component has been integrated, the Internet browser on your information technology system is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as your IP address, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently enable commission statements.
This measure stores personal information, such as access time, the location from which access came and the frequency of your visits to our website. Every time you visit our website, your personal data, including the IP address of your Internet connection used, is transferred to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may disclose personal data collected through the technical process to third parties.
As described above, you can prevent the setting of cookies at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a cookie on your information technology system. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.
You can also specifically enable/disable the use of Google Analytics for our site.
Marketing Automation with Mautic
On this website we use mautic – an open source tool for marketing automation. This is an analysis and tracking software for the allocation and storage of usage data (e.g. browser used, last visited page, duration of stay). The software uses this information to individualize our marketing activities and better align them to the interests of each individual user. In addition, the software helps us to better evaluate the success of individual marketing measures.
Mautic is hosted by us on specially operated servers. The data is not passed on to third parties. We collect and process data with mautic only to the extent necessary to achieve the business goals of twentyZen GmbH with you.
Mautic’s working methods are expressed by this:
a) E-mail marketing and campaigns
In so-called e-mail marketing, personalised e-mails are sent to you. Some of these e-mails are based on the user behaviour on the www.twentyzen.com website, when reading our e-mails and when interacting with the links contained therein. We also send e-mails as part of campaigns.
b) Landing pages
Landing pages are special websites that have been defined as the target of advertising campaigns. They usually contain interaction options, e.g. for downloading whitepapers or checklists and forms for collecting information about you.
The software uses various technical procedures to assign individual activities to anonymous profiles or – with prior consent – to the profiles of individual users:
c) tracking pixels
In order to recognize whether, for example, an e-mail has been opened, mautic uses so-called tracking pixels. These pixels are used to load a small graphic from the provider’s server that was previously assigned to an individual user profile.
d) Personalized Web Links
In order to recognize whether, for example, a user is calling a link from an e-mail, mautic adds a unique identifier to these links, which was previously assigned to an individual user profile.
e) IP address
The IP address currently used by website visitors is transmitted to us each time our website is accessed. Mautic uses this address to recognize users of the website.
The data collected in this process is:
- the activity on our website
- Number of page views and length of stay of the website visitor
- the click path of the respective visitor
- Downloads of files provided via the website
- Visits from Landingpages
- Opening e-mails from newsletters and campaigns
In the context of a registration on the website or the download of a whitepaper, the provider collects a fee by the use of mautic
- Contact information (such as name, postal or e-mail address, telephone or fax number).
- Business contact information (such as your job title, name of my business, business e-mail address, telephone or fax number).
- The IP address of the terminal from which the Website is accessed (a number that identifies your current Internet computer connection).
The released data is clearly recognizable for the user by filling out a form. The data required to send the form will be identified.
Mautic will only be used if you have expressly given your consent to the use of so-called “first-party cookies” when using our website for the first time. You can revoke this consent at any time to the contact person named by us above. In this case, all tracking data collected using mautic will be deleted immediately.
(3) Supplier data
The Institute collects personal data from its suppliers in the course of its cooperation with them in order to ensure a smooth business relationship. The Institute records the data of the contact persons within the organisation, e.g. name, telephone number and e-mail address. The bank also enters bank data in order to make payments to suppliers.
3. Purpose of Processing and Legal Basis
The Institute processes the aforementioned personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):
(1) For the fulfilment of contractual obligations (Article 6 para. 1 lit. b GDPR):
The processing of personal data is carried out in order to provide financial services within the framework of the execution of contracts between the institution and its clients or for the execution of pre-contractual measures which are taken at the request of the clients. The purposes of data processing are primarily based on the specific product (see point 2) and may include, among other things, needs analyses, advice, asset management and support, investment advice and the execution of transactions. Further details for the purpose of data processing can be found in the respective contractual documents and terms and conditions.
The Institute processes the personal data of persons within the organisation of its suppliers in order to be able to make use of their services. It also stores the financial data so that it can pay for its suppliers’ services.
(2) In the context of balancing interests (Article 6 para. 1 lit. f GDPR):
Where necessary, the Institute shall process client data beyond the actual performance of the contract in order to safeguard the legitimate interests of the Institute or third parties. Examples:
- Assertion of legal claims and defence in legal disputes
- Ensuring the IT security and operation of the Institute
- Prevention of criminal offences, in particular fraud prevention
- Video surveillance for the protection of house rights, for the collection of evidence in case of robberies and fraud offences
- Measures for building and system security (e.g. access controls)
- Measures to secure the domiciliary right
- Measures for business management and further development of services and products
- Ensuring a smooth connection of the website
- Ensuring comfortable use of the Institute’s website
- Evaluation of system security and stability as well as
- For other administrative purposes
Under no circumstances does the Institute use data to draw conclusions about the person of the respective client.
(3) On the basis of the client’s consent (Article 6 para. 1 lit. a GDPR):
If the client has consented to the processing of personal data for certain purposes (e.g. passing on data in order to use his data for certain advertising purposes), the legality of this processing is given on the basis of the consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent issued to the Institute prior to the validity of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this. If the Institute intends to use the client’s personal data for purposes other than those mentioned above, the Institute will inform the client accordingly and, if necessary, obtain their consent.
(4) Due to legal requirements (Article 6 para. 1 lit. c GDPR) or in the public interest (Article 6 para. 1 e GDPR):
As a financial services institution, the Institute is also subject to various legal obligations. This means that legal requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) and banking supervisory requirements (e.g. of the European Central Bank, the European Banking Supervisory Authority, the German Federal Bank and the Federal Financial Supervisory Authority (BaFin)) must be fulfilled. The purposes of the processing include identity and age verification, fraud and money laundering prevention, compliance with sanctions and embargo provisions, answering official inquiries from a competent state body or judicial authority, the fulfilment of tax control and reporting obligations as well as the evaluation and control of risks at the institute.
4. Recipients of Personal Data from Clients
Within the Institute, those departments are granted access to the client’s data that are needed to comply with the contractual and legal obligations. Service providers and vicarious agents employed by the Institute may also receive data for these purposes if they observe banking secrecy and the bank’s instructions under data protection law in writing.
With regard to the transfer of data to recipients outside the Institute, it must first be noted that the Institute is obliged to maintain confidentiality about all client-related facts and assessments of which it becomes aware.
The Institute may only pass on information about clients if required to do so by law, if the client has consented, if contract processors commissioned by the Institute guarantee compliance with banking secrecy in a rectified manner, and if the requirements of the General Data Protection Regulation and the German Federal Data Protection Act are met. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Supervisory Authority, European Central Bank, tax authorities, Federal Central Tax Office) if a legal or official obligation exists
- Other credit and financial services institutions, comparable institutions and contract processors to which the Institution transmits personal data in order to conduct the business relationship with the client. These companies are also legally or contractually obliged to treat personal data with the necessary care
- Independent representatives, contractually bound agents, brokers
- Service providers who support the Institute, in particular in the following activities: Support/maintenance of IT applications, archiving, receipt processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing/procurement, credit processing service, collection, customer management, lettershops, marketing, media technology, reporting, research, risk controlling, expense reporting, telephony, video legitimation, website management, investment services, share register, fund management, auditing services, payment transactions
- Members of certain regulated professions such as lawyers (who provide services for the Institute, e.g. compliance, reporting, etc.), notaries or auditors (e.g. as part of the annual financial statement audit or WpHG audit)
- Other recipients of data may be those bodies for which clients have given their consent to the transfer of data
Note: Under no circumstances will personal data be sold to third parties.
5. Usually no Transfer of Data to a Third Country or an International Organisation
Data is only transmitted to countries outside the EU or the EEA (so-called third countries), if this is required for the execution of client orders (e.g. payment and securities orders), if required by law (e.g. tax law reporting), if clients have given their consent or in the context of order processing. If service providers are used in a third country, they shall, in addition to instructions in writing, be bound by the agreement of the EU standard contractual clauses on compliance with the data protection level in Europe. If you need a printout of these terms or information about their availability, you can contact the Institute in writing.
6. Data Storage Time
The Institute processes and stores personal data of clients as long as it is necessary for the fulfilment of contractual and legal obligations. It should be noted that the business relationship is a long-term debt relationship that is planned to run for several years. If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless – for a limited period – further processing is required for the following purposes:
- Fulfilment of commercial and tax retention periods. These include obligations arising from the German Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The periods for storage and documentation specified there are two to ten years.
- Preservation of evidence under the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.
For applicants without a subsequent contract, a retention period of 6 months applies.
7. Protection of Personal Data
The Institute will take reasonable and appropriate measures to protect stored and processed information from misuse, loss or unauthorized access. The Institute has taken a number of technical and organisational measures to this end.
If you suspect that your personal information has been misused, lost or accessed by unauthorized persons, please inform the Institute as soon as possible.
8. Data Protection Rights under the General Data Protection Regulation
Any data subject has the right of access under Article 15 GDPR, the right to correction under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to limitation of processing under Article 18 GDPR, the right of objection under Article 21 GDPR and the right to data transfer under Article 20 GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right of cancellation.
The right to information includes information on the purposes of processing, the category of personal data, the categories of recipients to whom personal data has been or will be disclosed, the planned storage period, the existence of a right of rectification, deletion, restriction of processing, opposition or data transfer, the existence of a right of appeal, the origin of the data, if these were not collected at the Institute, and the existence of automated decision-making including profiling and, if applicable, meaningful information on their details.
The client can request the immediate correction of incorrect or the completion of the personal data collected from the Institute at any time.
The client may request the deletion of his personal data stored at the Institute, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. If none of the above cases exists, the Institute will delete this data. As a rule, the Institute will also include the name of the client in the list of persons who do not wish to be contacted. This minimizes the chance that clients will be contacted in the future if their data is collected separately under different circumstances.
In certain circumstances, the client may require the Institute to restrict the processing of his personal data. This means that in future the Institute will only store the client’s data and will not be able to carry out any further processing activities until: (i) one of the conditions listed below has been removed, (ii) the client gives his consent or (iii) further processing is necessary in order to assert, exercise or defend legal claims, protect the rights of other persons or if it is necessary in the legitimate public interest of the EU or a Member State. The client may request the Institute to restrict the processing of the client’s personal data in the following circumstances:
- If the client disputes the accuracy of the personal data that the Institute processes about the client. In this case, the processing of the client’s personal data by the Institute is limited until the accuracy of the data has been verified.
- If the client objects to the processing of his personal data by the Institute in the interest of the legitimate interests of the Institute. In this case, the client may request that the data be restricted while the Institute verifies its reasons for processing the client’s personal data.
- If the processing of the client’s data by the Institute is unlawful, but the client prefers to limit the processing by the Institute instead of having the data deleted.
- If there is no longer a need for the Institute to process the client’s personal data, but the client needs the data in order to assert, exercise or defend legal claims.
The client may receive the personal data that he has provided to the Institute in a structured, common and machine-readable format or request the transmission to another person responsible.
If a decision to conclude or fulfil a contract has only been made in an automatic process (Article 22 GDPR) and this decision has legal effect vis-à-vis the client or the client is significantly impaired in a similar manner, the client may request a further manual review from the institute after he has explained his position to the institute and requested the manual review. In the event of such a decision, the Institute shall also inform the client separately of the reason, the scope and the intended effects of such data processing.
In addition, there is a right of appeal (Article 77 GDPR in conjunction with § 19 BDSG). In this regard, the client may contact the supervisory authority of his usual place of residence or workplace or the registered office of the Institute.
The client can revoke his or her consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to the Institute prior to the validity of the General Data Protection Regulation, i.e. before 25 May 2018. The client is informed that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this. The separate reference to this is also given at the end of this data protection information.
If the client objects, the Institute must stop the corresponding activities. This shall apply with the exception that the Institute can prove that the Institute has overriding legitimate reasons for the processing which outweigh the interests of the client or that the data are processed in order to assert, exercise or defend a legal claim.
9. Obligation to Provide Data
In the context of the joint business relationship, the client must provide the personal data required for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or for the collection of which the Institute is legally obliged. Without this data, the Institute will generally have to refuse the conclusion of the contract or the execution of the order or will no longer be able to execute an existing contract and may have to terminate it. In particular, the Institute must collect and record the name, place of birth, date of birth, nationality, address and identity card data of the client before establishing the business relationship, for example on the basis of an identity card, in accordance with the provisions of money laundering law. In order for the Institute to comply with this legal obligations, the client must provide the Institute with the necessary information and documents in accordance with Section 11 (6) of the Money Laundering Act and inform the Institute immediately of any changes arising in the course of the business relationship. If the client does not provide the Institute with the necessary information and documents, the Institute may not establish or continue the business relationship requested by the client.
10. Automated Individual Decision-making
For the establishment and implementation of the business relationship, the Institute does not use fully automated decision-making in accordance with Article 22 GDPR. If the Institute uses these procedures in individual cases, the clients will be informed of this separately, insofar as this is required by law.
The Institute does not process client data automatically with the aim of assessing certain personal aspects (Proﬁling). A Proﬁling is not used by the Institute.
Information on your Right to Object under Article 21 of the General Data Protection Regulation (GDPR)
1. Right of objection on a case-by-case basis
You have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is based on Article 6 para. 1 lit. e GDPR (data processing in the public interest) and Article 6 para. 1 lit. f GDPR (data processing on the basis of a balance of interests); this also applies to proﬁling based on this provision within the meaning of Article 4 para. 4 GDPR (however, profiling by the Institute is currently not carried out). If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
2. Right to object to the processing of data for advertising purposes
In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to proﬁling, insofar as it is connected with such direct advertising (profiling is not currently carried out by the institute). If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.
The objection can be made form-free and should preferably be addressed by telephone to: 0211/93678250 or alternatively by e-mail to firstname.lastname@example.org.