Transparency Register

Data Privacy Statement

This Data Privacy Statement informs you about the processing of personal data in the Transparency Register and when visiting our website pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (henceforth referred to as "GDPR"), Section 25 of the German Telecommunications Digital Services Data Protection Act (henceforth referred to as "TDDDG") and other data protection regulations.

1. Description of how we process data

We process personal data in the scope of providing the information, content and functions of the Transparency Register in the form of a website. This includes, in particular, the public retrieval and search functions of the Transparency Register as well as additional services that require prior identification or registration.

In addition to this, processing includes the possibility of using services of the Transparency Register over the website, in particular electronic inspection of register information, submitting notifications and other register-related functions provided on the basis of the applicable legal provisions of the German Act on the Detection of Proceeds from Serious Crimes (known as the Money Laundering Act, henceforth referred to as "GwG") and the legal regulations issued for this purpose.

2. Controller

Bundesanzeiger Verlag GmbH
Amsterdamer Str. 192
50735 Köln
Tel.: +49 (0)221 / 97668-0
Fax: +49 (0)221 / 97668-278
E-mail: service@bundesanzeiger.de

3. Purposes and legal basis of data processing

3.1. Purpose of processing

3.1.1. Keeping the Transparency Register / performing public tasks

We process personal data in order to receive, review, process and properly document transactions in the scope of keeping the Transparency Register in our capacity as the registration authority. This includes, in particular, assigning transactions to the relevant persons or organisations, communicating during the process (e.g. in the event of follow-up queries and status and procedural information) and ensuring consistent processing, for instance to avoid duplicate entries.

3.1.2. Meeting other legal obligations

In addition to this, we process personal data as required to meet legal obligations. This includes, in particular, statutory retention and documentation obligations, as well as processing for the purpose of complying with and meeting data protection requirements, for instance when processing requests from data subjects and implementing corresponding rights under GDPR.

3.2. Legal basis for processing

Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 18 ff. GwG and the Regulation on Transparenzregisterbeleihungsverordnung – TBelV (Transparency Register Lending Ordinance), as well as Transparenzregisterdatenübermittlungsverordnung – TrDüV (Transparency Register Data Transmission Ordinance), Transparenzregistereinsichtnahmeverordnung – TrEinV (Transparency Register Inspection Ordinance) and Transparenzregistergebührenverordnung – TrGebV (Transparency Register Fees Ordinance).

4. Recipients or categories of recipients

4.1. Authorities, courts and other institutions named in Section 2(4) GwG, where inspection is necessary for the performance of their statutory tasks. In addition, obliged entities within the meaning of Section 2 of the Money Laundering Act, provided that they demonstrate to the registration authority that inspection is necessary to meet their due diligence obligations in the cases set out by law. Furthermore, members of the public who, under Section 23 GwG, have legally regulated access to the data contained in the Transparency Register.

4.2. Supervisory authorities and law enforcement agencies, where this is necessary for the performance of their statutory tasks.

4.3. Other institutions, in particular public registers, where data exchange is provided for by law or is required for the review, updating or correction of the data kept in the Transparency Register.

4.4. Processors acting on behalf of the controller who process personal data solely on instruction and on the basis of Article 28 GDPR (e.g. IT service providers, hosting service providers, technical operation and support service providers).

4.5. Depending on the payment method selected, the data required to execute the payment transaction are transmitted to the relevant payment or verification service providers. These providers process the data autonomously and solely for the purpose of processing or technically verifying the payment. Further billing and processing take place within our systems, where relevant.

4.6 Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 18 ff. GwG in conjunction with TBelV and TrDüV.

5. Third country transfer

We generally process personal data inside the EU. If persons based or residing in third countries access register data within the scope of legally prescribed inspection, this may constitute transfer/disclosure to a third country. This takes place on the basis of the statutory access regulations of the GwG.

6. Storage period

Your personal data are only stored for as long as is necessary to meet said purposes or if retention periods require further storage.

7. Type and source of personal data

7.1. Origin of the data

In addition to being collected directly from you, personal data may originate from the following sources:

1. Information that legal entities subject to a notification obligation submit to the Transparency Register in the scope of their statutory notification obligations;
2. Data from public registers, in particular from the Commercial, Association, Partnership or Cooperative Register and the Charity Register, where these are used to perform the statutory tasks of the Transparency Register;
3. Data from notifications and submissions by other legally obliged institutions or third parties, where they are authorised or obliged to transmit this data to the Transparency Register under the provisions of the Money Laundering Act;
4. Communication and contact data arising when establishing contact or during other exchanges with legal entities subject to a notification obligation, beneficial owners, authorities or other parties involved.

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 18 ff. GwG, as well as TBelV, TrDüV, TrEinV and TrGebV.

7.2. Registration and identification

7.2.1. Creating a user profile (registration)

You have the option of registering on our website and therewith creating a user profile. When you register on our website, in addition to the data that your Internet browser automatically transmits to us, we collect and use the following data, which are marked as mandatory or voluntary depending on the purpose of processing:

1. Date and time of registration,
2. First name and surname,
3. Your e-mail address and telephone number,
4. Address and, if different, billing address.

Legal basis: Article 6(1) e) GDPR in conjunction with Section 23(3), (5) GwG in conjunction with Sections 2, 3 TrEinV.

7.2.2. For extended registration to use inspection options, proof of identity must be provided as prescribed under Section 3 TrEinV. Identity is verified during the registration process on the basis of suitable evidence.

Suitable evidence for natural persons includes, in particular:

• a copy of a valid official identity document with a photograph (e.g. identity card or passport),
• a copy of the documents specified in the Payment Account Identity Verification Regulation (ZIdPrüfV), or
• one of the other suitable forms of evidence defined in the Money Laundering Act.

In the cases provided for by law, the registration authority may send the user a verification number to the address specified in the document provided as evidence. The verification number is personal and may not be disclosed to third parties.

The personal data collected for the purpose of identity verification are processed solely for the purpose of registration and verification and are deleted no later than two years after transmission to the registration authority in accordance with the legal requirements.

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 23(7) GwG in conjunction with Section 3 TrEinV.

7.2.3. Registration pursuant to Section 3 TrEinV requires electronic identification of the user. The identification data collected in the course of the identification process will be processed exclusively to ensure proper performance of the tasks of the Transparency Register and will be deleted as soon as the purpose of the storage no longer applies and no conflicting storage obligations or rights exist.

For this purpose, we use, inter alia, an external identification service provider as a processor within the meaning of Article 28 GDPR, which conducts the identification procedure on our behalf. In the course of identification, in particular identification evidence is processed (e.g. photo/image and audio recordings of the person as well as images/copies of the identity document).

The data processed during the identification procedure are stored for different lengths of time depending on the outcome:

Successful identification: The data collected during the identification process are deleted by the identification service provider after 90 days. If proof of identification is subsequently sent to us, we store it for two years in accordance with the applicable legal requirements.

Unsuccessful or aborted identification: Personal data from aborted or invalid identification attempts are stored by the identification service provider for 7 days and then deleted.

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 23(7) GwG in conjunction with Section 3 TrEinV.

7.3. Provision of the website and creation of log files

7.3.1. Browser data

For technical reasons and to maintain and improve functionality, we automatically collect and store information that your Internet browser transmits to us and, where necessary, pass it on to third parties.

This data includes:

• Browser type and version
• Operating system used
• Website you are visiting us from (referrer URL)
• Website you are visiting
• Date and time of access
• Your Internet Protocol (IP) address
• Volume of data transferred
• Access status (files transferred, file not found, etc.)

These anonymous data (with the exception of your IP address) are stored separately from any personal data you may have provided and therefore cannot be used to identify a specific person. They may be analysed for statistical purposes to optimise our website and our products and services.

After analysis, these data are deleted by us and our service providers.

7.3.2. Server log data (extended logging)

Unless otherwise stated here, it is not necessary for you to provide personal data to use our website. Each time a user accesses the websites named above and each time a file is retrieved, data about this action are stored in a log file. We use these data to make it technically possible for you to visit our site. We also use these data for statistical purposes to improve the design and layout of our website. These data are not used in relation to a particular person.

Specifically, the following data record is stored for each retrieval:

• Name of the retrieved file
• Date and time of retrieval
• Transmitted data volume
• Message as to whether the retrieval was successful
• Description of the type of web browser used
• Requesting domain
• Country of domain origin

After analysis, these data are deleted by us and our service providers.

7.3.3. Legal basis: Article 6(1), lit. e) GDPR, Section 18(1), (2) GwG in conjunction with TBelV.

7.4. Use of cookies and analysis tools

We use cookies on our website. These are small text files our web server sends to your computer to store certain information (e.g. attributes for identification).

If you use our website anonymously, cookies will be used for statistical analysis of usage, including recording new and recurring visits. We also use cookies to assess the extent to which free content is used. To determine this, our website will send a Unit ID to your browser. This is an anonymous code used exclusively to establish the free content that has been used already.

When you use our website under your user profile, cookies will be used to identify your browser for the duration of your visit, including the various pages you visit. Our website can also be used without storing cookies. You can block the storage of cookies in your browser settings or tell your browser to inform you when a web page intends to store cookies. You will then decide whether to accept or reject cookie storage. However, for technical reasons, it is necessary to allow all temporary cookies to use the full functionality of our website. Even when cookies are deactivated, our website will send the described Unit ID to your browser to determine the usage of free content. Where cookies are not technically necessary, the legal basis is your consent in accordance with Article 6(1), lit. a) GDPR.

7.4.1. Technically necessary cookies

Under Section 25(2), no. 2 of the German Telecommunications Digital Services Data Protection Act (TDDDG), user consent is not required for technically necessary cookies. The services of the Transparency Register cannot be provided without using these technically necessary cookies. We use the following cookies on our website that are technically necessary for the operation of the website.

7.4.2. Analysis (Matomo)

With your consent, Matomo, an open-source web analysis tool (https://matomo.org), will collect and store data on this website for optimisation purposes. These data may be used to create usage profiles under a pseudonym. Cookies may be used for this purpose. Cookies allow returning Internet browsers to be recognised. The data collected by Matomo will not be used to personally identify visitors to this website unless with the consent of the affected party, and will not be linked to personal data about the holder of the pseudonym. Information about your usage of this website created by the cookie will not be passed on to third parties either. The legal basis for processing is your consent pursuant to Article 6(1), lit. a) GDPR. Data collected by Matomo technology (including your anonymised IP address) are processed exclusively on the servers of Bundesanzeiger Verlag GmbH. From the data collected (e.g. which page was visited, length of time spent on the website, whether downloads were made, search terms, etc.), we can draw conclusions about usage behaviour on our website and obtain information about other technical parameters (e.g. browser used and version, screen resolution of the terminal device used, operating system). The following specific cookies are used:

By default, web analytics is disabled. You can decide in your settings whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyse various statistical data. If you wish to opt out at a later date, please select the appropriate option under the following link Edit cookie settings to store the Matomo deactivation cookie in your browser.

7.5. Chatbot

For service enquiries, you have the option of using the chatbot on our website to obtain information.

No further data are required from you to use the chatbot. However, if you do provide personal data, these will be anonymised. To optimise the algorithm, which enables the chatbot to autonomously categorise enquiries according to the subject matter using the keywords contained therein, log files and chat histories are stored anonymously for 90 days. We would like to stress that you do not need to provide any personal data.

If you have any questions regarding your customer account, you can contact us directly by telephone or e-mail, as automatic assignment is not possible.

Data processing is performed without the use of cookies ("cookieless") on the basis of Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 18(1) GwG and TBelV. It is necessary for the management of the registration authority, whose effective management is in the public interest.

7.6. Telephone customer service via voicebot

We use an automated voice-based assistant ("voicebot") from a service provider to process incoming telephone enquiries. The voicebot supports the receipt of calls, the recording of enquiries and the structured forwarding or processing of service enquiries.

Personal data are processed during the use of the voicebot. This includes, in particular, the content spoken by the caller, which for technical reasons is recorded as voice data and converted into text, the communication content of the conversation, any identification data provided, such as a customer number, and technical meta and connection data, such as the time and duration of the call.

These data are processed for the purpose of dealing with customer enquiries. Additionally, the processing may serve to ensure the technical operation and quality of the voicebot service.

The legal basis for the processing of personal data is Article 6(1), lit a), b), e) GDPR in conjunction with Section 18(1), (2) GwG in conjunction with TBelV.

Processing is partly automated, in particular in the context of speech recognition, analysis of the enquiry and dialogue steering. No automated decision-making takes place within the meaning of Article 22 GDPR which has legal effect or significantly affects the data subject in a similar way.

The service provider processes the personal data solely as a processor within the meaning of Article 28 GDPR and solely in accordance with our instructions. The data are not passed on to other recipients unless there is a legal obligation to do so.

The processed personal data are deleted as soon as they are no longer required for the cited purposes and there are no legal retention obligations to the contrary.

8. Your rights under the GDPR

8.1. You have the following rights

• Articles 13 and 14 GDPR – Rights to information
• Article 15 GDPR – Access
• Article 16 GDPR – Rectification
• Article 17 GDPR – Erasure
• Article 18 GDPR – Restriction of processing
• Article 20 GDPR – Data portability
• Article 21 GDPR – Objection
• Article 22 GDPR – No purely automated decisions
• Article 77 GDPR – Right to lodge a complaint with a supervisory authority

You may revoke your consent at any time with effect for the future.

Contact for exercising your rights: dsb@bundesanzeiger.de

Note: We endeavour to take technical and organisational steps allowing us to store your personal data in a way to render them inaccessible to third parties. Since we cannot guarantee complete data security during communication by e-mail, we recommend mailing confidential information by post.

8.2. Supervisory authority

The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153, 53117 Bonn
Telephone: +49 (0)228-997799-0
E-mail: poststelle@bfdi.bund.de

9. Automated processing

There is no automated decision-making or profiling within the meaning of Article 22 GDPR.

10. Data protection officer

You can contact our data protection officer at:

Data Protection Officer of Bundesanzeiger Verlag GmbH
c/o Bundesanzeiger Verlag GmbH
Amsterdamer Str. 192
50735 Köln
E-mail: dsb@bundesanzeiger.de

11. Scope

This Data Privacy Statement is applicable to the domain https://www.transparenzregister.de .