Data Protection Information

Datenschutzhinweise und Information zum Widerspruchsrecht in deutscher Sprache finden Sie hier.

The data controller is:

Internationale Kapitalanlagegesellschaft mbH 
Hansaallee 3
40549 Düsseldorf, Germany
Telephone: +49 (0)211 910-2581
Fax: +49 (0)211 910-91903

Our data protection officer can be reached at the following address:

HSBC Continental Europe S.A., Germany
Data protection officer
Hansaallee 3
40549 Düsseldorf, Germany
Telephone: +49 (0)211 910 2006
Fax: +49 (0)211 9109 2125
Email address: datenschutz@hsbc.de

We process personal data that we obtain in the course of our business relationships or the initiation of business relationships with our customers and business partners, their representatives, authorised agents and other persons associated with our customers and business partners, and with prospects. Where it is necessary in order for us to render our services, we also process personal data that we lawfully obtain from publicly available sources (e.g. commercial registers and registers of association, press, internet) or that is legitimately provided to us by other companies within the HSBC Group or other third parties.

Relevant personal data includes your particulars (name, address and other contact details, date and place of birth, and nationality), data concerning your credentials (e.g. ID data), and authentication data (e.g. template signature).

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG):

a. For the fulfilment of contractual obligations (Art. 6 (1) b GDPR)

Personal data (Art. 4 no. 2 GDPR) is processed for the purpose of providing our services as capital management company or as administrator of investment funds and direct portfolios or in order to carry out actions that we may be requested to take prior to entering into a contract.

b. As part of the balancing of interests (Art. 6 (1) f GDPR)

If necessary, our processing of your data may go beyond what is necessary simply for the fulfilment of the contract, in order to safeguard our own, or a third party’s legitimate interests. Examples:

• Assertion of legal claims and defence in the event of legal disputes
• Guaranteeing our IT security and our IT operations
• Prevention and investigation of criminal offences
• Video surveillance in order to exercise our right to determine who shall be allowed or denied access and to gather evidence in the event of robberies or fraud
• Building and site security measures (e.g. access controls)
• Measures to guarantee undisturbed possession of our premises

c. Based on your consent (Art. 6 (1) a GDPR)

If you have given us your consent to process personal data for specific purposes (e.g. sharing data with other HSBC Group companies for advisory purposes, contact by email or telephone for marketing purposes), the processing of this data is lawful on the basis of your consent. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent granted to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that this withdrawal of consent is not retroactive. Data processing that took place before consent was withdrawn is not affected.

d. Due to statutory provisions (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)

As a capital management company, we are also subject to a range of legal obligations, i.e. statutory requirements (under the German anti-money laundering legislation, German Capital Investment Code (KAGB), German Derivatives Ordinance, German Capital Investment Rules of Conduct and Organisation Regulation, and tax legislation for example) and regulatory requirements (e.g. those imposed by the German Federal Financial Supervisory Authority). Data is processed for various purposes including identity and age checks, the assessment of an investor as professional or semi-professional pursuant to section 1 (19) no. 32,33 KAGB and the prevention of fraud and money laundering.

Access to your data is provided to those departments within the capital management company that need this data in order to meet our pre-contractual, contractual and legal obligations.

We only share your personal data with third parties as far as legally permitted, cf. Art. 6 GDPR.

So your personal data may be transmitted to service providers, as far as required for the purposes listed under section 3 of this Data Protection Information. Our service providers are companies in the areas of IT services, logistics, printing services, telecommunications, auditing, advice and consultancy, and sales and marketing. We have agreed on extensive contractual rules with all our service providers to protect the data which shall be processed. Furthermore, our service providers have an obligation of secrecy.

In addition, data transfers to third parties take place as far as required to fulfill a legal obligation. Subject to this condition, recipients of personal data could include for example:

• Public bodies and institutions (e.g. the German Federal Financial Supervisory Authority, financial authorities, law enforcement authorities) if a legal or official obligation exists.
• Banks and financial service institutions or similar bodies to which we provide personal data in order to conduct our business relationship with you (e.g. custodians, asset manager, investment advisors, commission agents).
• Other companies within the HSBC Group for risk management purposes based on legal or official obligations.

We may provide information to further data recipients provided we have your consent for the disclosure to these bodies.

The recipients mentioned under section 4 are located in- and outside of the European Economic Area (“EEA”). A data transfer to bodies in countries outside the European Union and outside the EEA (“third countries”) only takes place as far as:

• it is required for the execution of transactions,
• the European Commission has decided that the respective third country or a territory or one or more specified sectors within this third country ensure an adequate level of protection, 
• as far as countries are concerned which aren’t subject to such an adequacy decision we have ensured that appropriate measures within the meaning of GDPR are in place for the protection of your personal data (e.g. by agreeing between both parties involved in the data transmission, to Standard Contractual Clauses, which have been issued by the European Commission, and additionally by ensuring that appropriate security measures are in place (such as data encryption, pseudonymization)); or
• the aforementioned is not applicable, but we nevertheless are allowed to transfer the data in a lawful manner, for example, when the transmission is necessary for the establishment, exercise or defence of legal claims, when the transmission is prescribed by law (e.g. fiscal reporting obligations), or when you have provided us your consent.

Further details regarding the safeguards, which we have put in place for the transfer of personal data to third countries, as well as a copy of the agreed Standard Contractual Clauses may be requested under: datenschutz@hsbc.de.

If necessary, we will process and store personal data for the duration of the business relationship with our customers and business partners. This includes the contract origination and implementation stages. It should be noted that the business relationships with our customers and business partners are contracts for the performance of continuing obligation that are intended to run for a number of years.

If the data is no longer required for the fulfilment of contractual or statutory duties, it is periodically deleted unless its continued processing – for a limited time – is necessary for the following purposes:

• Fulfilment of duties to preserve records under commercial and tax law: relevant legislation in this respect includes, in particular, the German Commercial Code (HGB), the German Tax Code (AO) and the German Anti-Money Laundering Act (GwG). The time periods specified in these laws for the retention of records and/or documentation range from five to ten years.
• Preservation of evidence in line with the statutory limitation periods. In accordance with section 195 et seq. of the German Civil Code (BGB), these limitation periods can last up to 30 years although the standard limitation period is three years.

In accordance with the procedural rules set out in Article 12 GDPR, every data subject has

• the right of access under Article 15 GDPR,
• the right to rectification under Article 16 GDPR,
• the right to erasure under Article 17 GDPR,
• the right to restriction of processing under Article 18 GDPR,
• the right to object under Article 21 GDPR, and
• the right to data portability under Article 20 GDPR.

The right of access and the right to erasure are subject to limitations under sections 34 and 35 BDSG.

Data subjects may consult the data protection officer for any matters in relation to the processing of their personal data and the exercise of their rights in this regard (Article 38 (4) GDPR). 

There is also a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

Within the scope of our business relationships with them, our customers and business partners must provide any personal data that is necessary to establish, execute and terminate a business relationship and any information that we are legally obliged to collect.

In accordance with anti-money laundering regulations, we are required to identify you using an identification document before setting up a power of representation/power of attorney and to collect and record your name, place and date of birth, nationality, address, and identification data. So that we can satisfy this statutory obligation, you are required under applicable anti-money laundering legislation to provide us with the necessary information and documentation and to promptly notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we are not permitted to commence or continue the business relationship desired by you.

We do not use fully automated decision-making processes within the meaning of Article 22 GDPR.

We do not use your data for profiling activities.