Data protection policy
As of 29. July 2022
Berenberg takes its responsibility for data protection and information security very seriously. The careful handling of all personal data is a core aspect of our operations and forms the basis for our processes and workflows. As a private bank with international offices we are subject to various data protection regulations in the countries in which we operate. In this data protection policy for the area covered by the European General Data Protection Regulation (GDPR) we inform you about the personal data that we collect when you use this website and its related functions and the purposes for which we process these personal data.
1. Controller and contact
The controller of the Berenberg website is
Joh. Berenberg, Gossler & Co. KG
Neuer Jungfernstieg 20
D - 20354 Hamburg
Telephone +49 40 350 600
Fax +49 40 350 60900
If you have any questions or suggestions about data protection or wish to assert your rights, please get in touch with us using the contact details below.
2. Data protection officer
You can contact our data protection officer by writing to Datenschutz@berenberg.de
3. Object of data protection
The object of data protection are personal data. As defined in Art. 4(1) GDPR, these are all information relating to an identified or identifiable natural person. Personal data are also known hereafter as data.
4. Automated data collection on this website
For technical reasons, when you visit our website your device automatically sends data that may enable you to be identified. These are:
- User’s IP address
- Date and time of request
- Content of request (specific page)
- Access status / HTTP status code
- Volume of data sent
- Website from which the request comes
- User’s operating system
- Language and version of browser software
Data is stored for reasons of data security and to ensure the stability and operating safety of our system. These data are not merged with data from other sources. Personal data are deleted automatically every 28 days.
Since Berenberg is not able to link your IP address to you (only your internet provider can do this) and pattern recognition over a longer period does not take place because the data are deleted at frequent intervals, Berenberg’s interest in the orderly operation of its website overrides any interests of visitors. The legal basis for processing the above data to ensure the correct operation of this website is our overriding legitimate interests within the meaning of Art. 6(1) f GDPR.
5. Hosting of our website
We operate our website on servers from Microsoft Ireland Operations Limited, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland (Azure-Cloud). The Microsoft server structures used by us are situated in the European Union.
6. Consent management system
- Date and time of visit,
- browser information,
- information about consent (particularly IP address and time of consent; both data points are stored for a period of 12 months as evidence of your consent),
- device information,
- opt-in and opt-out data and
- the anonymised IP address of the requesting device.
- the URL of the website on which the consent was given
- the rough location of the user.
The legal basis for this are Art. 6(1) c and f GDPR: We use CookieFirst to obtain and manage your consent.
To send you the newsletter offered at https://newsletter.berenberg.de and ordered by you, you are asked for your email address in the order form and then asked to confirm a subsequent email (double opt-in). This confirmation is intended to ensure that no one can register for a newsletter using somebody else’s email address.
The following data are stored for 12 months when the newsletter is ordered and cancelled:
- Date and time,
- email address,
- surname, name
- confirmation emails and
- IP address.
When you register for a newsletter on our website, you can cancel it with future effect at any time here. There is also a cancellation link at the end of every newsletter.
The newsletters ordered by you contain what is known as a “web beacon”. This is a pixel-sized file that is retrieved when the newsletter is opened. The web beacon uses certain technical data, namely
- type of browser and system,
- anonymised IP address,
- time of retrieval and
- which link from which mailing and which email was clicked,
to determine whether the newsletter was opened, when it was opened and which links within the newsletter were clicked. This information is not allocated to individual recipients of the newsletter but is stored in anonymised form. The analysis serves to identify the reading habits of our users and to optimise and adapt our contents to them.
The newsletter is sent and analysed by Inxmail GmbH, Wenzingerstr. 17, 79106 Freiburg, with which we have signed a data processing contract within the meaning of Art. 28 GDPR. Inxmail uses this information to send and analyse the newsletter on our behalf. In addition, Inxmail can used these data to optimise or improve its own services, e.g. for the technical optimisation of how the newsletter is distributed and displayed. However, Inxmail does not use your data to write to you or transfer them to third parties. The legal basis for the distribution and analysis of the newsletter is your consent in accordance with Art. 6(1) a GDPR.
We store what are known as “cookies” in order to offer certain functions on our website and to optimise the use of the website. Cookies are small files that are stored on your device with the help of your internet browser. Details can be found here.
9. Services used for analytics, advertising and similar technologies
In detail, we use the following services from
The Google Retargeting and Conversion Technology of Google Ads enables us to target you with personalised, interest-based advertising if you have already shown interest in offers from us. The conversion technology enables us to draw attention to our offers on external websites with the help of advertising media (so-called Google Ads). We can also use the service to determine how successful the individual advertising measures are by comparing them with the data from the advertising campaigns. We only receive statistical evaluations from Google. Based on these evaluations, we can see which of the advertising measures used are particularly effective. We do not receive any further data about this, and in particular we cannot identify you from this information.
Google AdSense allows us to place customised advertisements on our website. With this service from Google, we do not receive any data that allows us to identify individual persons.
The Google Data Studio is a software from Google for creating reports with different data sources. We use it to create reports for our own performance monitoring. In doing so, Google Data Studio can access data collected by other Google services we use. These include, in particular, Google Analytics and Google Ads. In turn, we receive aggregated reports from Google that do not allow us to refer to individual persons.
Google Optimize allows us to find out which website components our website users like best. For this purpose, we display different versions of the website (e.g. with different colours and sizes of clickable buttons) in order to improve our website and, above all, the user experience based on the interaction data collected by Google Optimize. This Google service also does not provide us with any data that allows us to identify individual persons.
We use the Google Tag Manager to facilitate the management and addition of marketing pixels and tracking codes on our website. To avoid unnecessary, error-prone individual interventions in the source code of this website, the Google Tag Manager is added once and then acts as a kind of container for further code. Last but not least, this tool gives us a good overview of all the third-party tools and trackers we use. In this way, we can also better ensure compliance with the requirements of the GDPR.
10. LinkedIn Insight Tag
Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn"). LinkedIn members can also control the use of their personal data for advertising purposes in their account settings. Information on LinkedIn's data protection can be found at https://www.linkedin.com/legal.... We have also entered into an order processing agreement including standard contractual clauses with LinkedIn for the use of this tool.
LinkedIn does not share any personal data with us, but offers anonymised reports on website audience and display performance. In addition, there is the possibility of retargeting via the LinkedInInsight tag. We can use this data to display targeted advertising outside our website without being able to identify you as a website visitor. The legal basis for this use is your express consent (Art. 6 para. 1 lit. a DSGVO).
11. Embedded third-party contents
We embed YouTube videos in our website. YouTube is a service from Google LLC, 1600 Amphitheatre Pkwy Mountain View, California 94043, USA, for users from the EEA and Switzerland from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Google data protection policy can be found at https://policies.google.com/privacy?hl=de.
These YouTube videos are played from YouTube servers, so your device sends certain technically necessary data to YouTube. In particular it cannot be ruled out that YouTube can find out your IP address. If this involves the processing of personal data, then this takes place on the basis of the Google data protection policy. Please note that Google may also share personal data outside the Google group of companies and with other third parties. This may entail the transmission of personal data to the USA and other third countries for which there is no adequacy decision from the European Commission. According to its website, Google will use the standard contractual clauses adopted by the European Commission in accordance with Art. 46 GDPR.
Integration of YouTube videos takes place on the basis of your consent (Art. 6(1) a GDPR) or our legitimate interest in showing you the corresponding contents and functions (Art. 6(1) f GDPR).
12. Social media / Internet presence
Our LinkedIn page can be found here: https://www.linkedin.com/company/berenberg-bank. LinkedIn is operated for users in the European Economic Area and Switzerland by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland”). The operator for all other users is LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA. The LinkedIn data protection policy can be found here: https://de.linkedin.com/legal/.... Here you can also find information about the options for the settings on your LinkedIn profile. LinkedIn Ireland sends personal data to the USA and other third countries outside the European Economic Area for which there is no adequacy decision from the European Commission. According to its website, LinkedIn uses the standard contractual clauses adopted by the European Commission in accordance with Art. 46 GDPR.
Our Twitter account can be found here: https://www.linkedin.com/company/berenberg-bank. Twitter is operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 (“Twitter”). The Twitter data protection policy can be found here: https://twitter.com/de/privacy. The controller for users situated in the European Economic Area and the United Kingdom is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland. Twitter also states that it ensures an adequate level of protection for the rights of data subjects in the event of a transfer to third countries.
Our XING page can be found at https://www.xing.com/pages/berenbergbankjoh-berenberggossler-co-kg. XING is operated by New Work SE, Dammtorstrasse 30, 20354 Hamburg, Deutschland (“XING”). The XING data protection policy can be found here: https://privacy.xing.com/de/datenschutzerklaerung. You can also find information here about your account settings and the transmission of data to third countries. XING also sends personal data to third countries outside the European Economic Area for which there is no adequacy decision from the European Commission. According to its data protection policy, XING uses the standard contractual clauses adopted by the European Commission in accordance with Art. 46 GDPR to the extent necessary.
13. Forwarding of data to third parties in general
We transfer personal data to third parties processing data on our behalf on the basis of Art. 28(1) GDPR. The processors may only use the data for the purposes defined by us. We use the following categories of processors, including the processors already explicitly mentioned in this data protection policy:
- IT servicer providers,
- Cloud service providers,
- Hosting service providers,
- Marketing service providers.
Personal data are transferred to law enforcement authorities and possibly to third parties suffering a loss, if this is necessary to clarify the unlawful use of our website or for law enforcement purposes. However, this only takes place if there are concrete indications of unlawful or fraudulent conduct. Data may also be transferred for the enforcement of legal rights. We are also obliged by law to provide information to certain public authorities on request. These are law enforcement authorities, authorities that investigate administrative offences liable to a fine, and tax authorities. These data are transferred on the basis of our overriding legitimate interest in accordance with Art. 6(1) f GDPR or on the basis of a legal obligation in accordance with Art. 6(1) c GDPR.
In the context of organising our operations and financial accounting and to comply with statutory obligations, such as archival obligations, we disclose or transfer the same data from you that we have processed for the purpose of cost refunds or in connection with the establishment, exercise or defence of legal claims, to the tax authorities, advisers, e.g. tax advisers or auditors, and to other payment centres and payment services providers. These data are transferred on the basis of our legitimate interest in maintaining our commercial activities, carrying out our responsibilities and processing the refund in accordance with Art. 6(1) f GDPR or on the basis of a legal obligation in accordance with Art. 6(1) c GDPR.
14. Data transfers to third countries
When we transfer data to countries outside the European Economic Area (“EWA”), third countries (e.g. the UK, Switzerland or the USA) or to recipients in third countries, this takes place in accordance with the specific provisions of Art. 44 et seq. GDPR. For the UK this may be on the basis of an existing adequacy decision, or otherwise on the basis of an agreement using the standard contractual clauses of the European Commission.
15. Automated decision-making and profiling measures
We do not use any automated decision-making or profiling methods.
16. Erasure of your data
We erase your personal data as soon as it is no longer required for the purpose for which we processed it. We retain your data if we are obliged to do so for legal reasons (Art. 6(1) c GDPR) or the data are required for longer to establish, exercise or enforce legal rights. If data have to be retained for legal reasons, the processing is restricted. The data are then no longer available for further processing. Ongoing storage takes place on the basis of our aforementioned legitimate interests in accordance with Art. 6(1) f GDPR.
17. Your rights as a data subject
You have the following rights concerning your personal data:
Right of access
- You have the right to obtain the information defined in Art. 15 GDPR and Section 34 German Federal Data Protection Act (BDSG) from us at any time on request about the personal data concerning you that is processed by us.
Right to rectification
- You have in accordance with Art. 16 GDPR the right to obtain from us without undue delay the rectification of inaccurate personal information concerning you.
Right to erasure
- On the conditions described in Art. 17 GDPR and Section 35 BDSG you have the right to obtain from us the erasure of personal data concerning you. These conditions particularly provide for the right to erasure when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if the data have been unlawfully processed, if you object to the processing or if they have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
Right to restriction of processing
- You have the right to obtain from us the restriction of processing in accordance with Art. 18 GDPR. This right exists in particular if the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data, if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, if we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, and if your effective objection to processing is contested by us.
Right to data portability
- You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR.
Right to object to processing
- In accordance with Art. 21 GDPR you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1) f GDPR. We will stop processing the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority
- You have the right to lodge a complaint with a supervisory authority of your choice. In Hamburg, the supervisory authority is the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), Ludwig-Erhard-Str. 22, 20459 Hamburg. In the UK, you also have the right to lodge a complaint with the Information Commissioner's Office, whose head office address is at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AFed.
To exercise your rights you can write by post or email to the address mentioned in  above. The personal data that you send when you exercise your rights in accordance with Art. 15 to 22 GDPR will be stored by us for the purpose of implementing those rights and documenting the implementation. This processing takes place on the basis of Art. 6(1) c GDPR in conjunction with Art. 15 to 22 GDPR and Section 34(2) BDSG.
18. Addendum for the use of the Wealth Management Portal
You may use our online banking ("Wealth Management Portal") via browser (desktop) or via app (smartphone). Data will be collected from you in the process of logging in. The purpose of the login is to provide you a digital access to your accounts. To do this, you must enter your user name and a password of your choice. At the time of login, the following data is stored for security reasons:
- The user's IP address
- Date and time of login
- For the fulfilment of a contract or the implementation of pre-contractual measures in accordance with Art. 6(1) b GDPR, as the registration and login section are necessary for the fulfilment of the contract or pre-contractual measures.