Privacy and data protection
KfW Stiftung's Privacy Notice
You can rely on the protection and security of your personal data: we consider it our responsibility to protect your privacy when processing your personal data. The following data privacy information provides an overview of how your data is processed and what your rights are under data privacy regulations.
1. Who is responsible for data processing and whom can I contact?
The following is responsible:
KfW Stiftung (hereinafter referred to as: "we" or "us")
D-60325, Frankfurt am Main
Tel: +49 69 74 31-0
Fax: +49 69 74 31-2879
If you have questions, you can get in touch with the Stiftung's contact for data privacy at:
Contact for data privacy
D-60325, Frankfurt am Main
2. Which sources and data does KfW Stiftung use?
We process personal data that we obtain from our beneficiaries, funding partners and parties interested in the foundation in the context of our business relationship, but also from service providers to accomplish the foundation's aims.
The personal data we process includes in particular:
- Personal details (e.g. name, address, telecommunications data, date and place of birth)
- Identification data (e.g. ID, registration data)
- Contract data
3. What does KfW Stiftung process your data for and what is the legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Data Protection Adaptation and Implementation Act-EU (DSAnpUG-EU) and other applicable legal regulations.
You may use our entire website without submitting any personal data.
3.1. General communication, for information about the foundation's activities and fulfilment of contractual obligations and on the basis of your consent:
- General communication
- Processing enquiries about funding
- Processing other enquiries
- General information on KfW Stiftung's activities
We generally need to process your personal data in this context to be able to send you invitations and general information about the activities of our foundation. You are not legally obligated to make your personal data available to us. Without this data, however, we cannot send you invitations and information and allow you to take part in our work. The legal basis for this processing is Article 6(1)(1)(f) of the General Data Protection Regulation (GDPR). This provision allows personal data to be processed if this serves to protect legitimate interests and provided that the interests or fundamental rights and freedoms of the data subject do not outweigh those which require the protection of personal data.
If you have given us your consent to process personal data for specific purposes (e.g. invitations), this consent serves as the legal basis for processing the data (Article 6(1)(1)(a)) of the GDPR. Consent which has been granted may be revoked at any time. This also applies to revoking declarations of consent that were issued to us before the GDPR took effect, i.e. before 25 May 2018. If consent is revoked, the legality of data processing carried out before consent was revoked is not affected.
3.2. Social media
You can access social media (currently YouTube) from our website.
Important: if you click the respective link, you leave our website and are taken to the website of the social medium. Any information available there was created without any help from us and we are therefore not responsible for this content. We do not accept any liability for the information being up-to-date, accurate or complete. Reference to social media does not imply any approval on our part.
- Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Google privacy notice (YouTube and Google+)
Please keep in mind that we are not aware of nor do we influence how and what data find their way to the social medium.
The data are not used in any way to personally identify a visitor (if this were even technically pos-sible) nor are they linked to the data about the bearer of the pseudonym.
3.4 Links to other websites
KfW Stiftung's websites contain links to other websites. KfW Stiftung is not responsible for the data privacy policies or the content of these other websites.
4. Who receives my data?
Within KfW Stiftung, the departments that need your data to fulfil the purpose of the foundation and any contractual and legal obligations have access to your data. Service providers and sub-contractors whose services we use may also receive data for these purposes if they observe data protection.
We may only disclose information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide such information for other reasons. Under these conditions, recipients of personal data could include:
- Public bodies and institutions (e.g. Federal Court of Auditors, financial authorities and offices) in the event of a legal or official obligation
- Other credit and financial services institutions or similar institutions to which we transfer per-sonal data to execute the business relationship with you, service providers that process data on our behalf (e.g. financial accounting)
- Experts if they are involved in funding
Other data recipients may be those bodies for which you have given us your consent to transfer data.
5. Are data transferred to a third country or an international organisation?
If KfW Stiftung transfers personal data to offices outside of the EU, known as third countries, re-quirements stipulated in data privacy regulations are complied with.
6. How long will my data be stored?
How long personal data are stored is based on the respective processing purposes. It is not pos-sible to list the various storage periods in a reasonable format here. The criteria to determine the concrete individual storage periods are the following:
- The data is stored for as long as KfW Stiftung has an overriding legitimate interest within the scope of fulfilling its aims.
- If we only process data for the purpose of executing a contractual relationship, we store the data for the duration of the contractual relationship.
- In addition, we are subject to various storage and documentation obligations arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods for storage and documentation set forth in these laws range from two to ten years.
7. What are my data privacy rights?
If the statutory prerequisites are met, you have the following rights in accordance with Art. 15 to 22 of the GDPR:
- Right of access in accordance with Art. 15 of the GDPR, i.e. the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to this personal data and other information.
- Right to rectification in accordance with Art. 16 of the GDPR if personal data concerning you is not correct.
- Right to erasure in accordance with Art. 17 of the GDPR, e.g. when the personal data are no longer necessary in relation to the purposes for which they were processed.
- Right to restriction of processing in accordance with Art. 18 of the GDPR.
With respect to the right of access and the right to erasure, the restrictions pursuant to Sections 34 and 35 of the German Federal Data Protection Act apply.
In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 of the GDPR).
Right to revoke your consent
You can revoke consent that you have granted to process data at any time. This does not, how-ever, affect the legality of processing carried out before consent was revoked. If you revoke your consent or effectively object to further processing on the basis of your consent, we will no longer process the data for these purposes.
Information about your rights to object
If we process personal data to send invitations and information, you can object to processing at any time and without specifying any reasons.
The objection can be made informally. Please send your objection to:
Data privacy contact
D-60325 Frankfurt am Main, Germany
You have the right to object at any time to the processing of your personal data, which is based on a balancing of interests (Art. 6(1) (1)(f) of the GDPR) insofar as reasons arise from your particular situation which preclude such data processing. This also applies if automated individual decision-making is used (Art. 22 of the GDPR). If you raise an objection we will no longer process your personal data for these purposes unless we are able to provide evidence of cogent reasons for the processing which are worthy of protection and which override your interests, rights and freedoms, or unless the processing serves the purpose of establishing, exercising or defending legal claims.