Compliance

Data Protection Information Regarding Compliance Investigations

The Compliance Department of the KfW Group ("KfW Compliance" or "we") ensures compliance with laws and regulations through a business model-oriented compliance organization, legally secure processes, and preventive and responsive measures. We hereby inform you in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) about the processing of your personal data ("data") in connection with compliance investigations and other measures to ensure adherence to applicable laws.

KfW Compliance will process your data in the context of compliance measures only in accordance with the relevant data protection regulations. These regulations arise particularly from the GDPR and the Federal Data Protection Act (BDSG). This data protection information provides further explanations regarding data processing for the purposes of conducting compliance investigations and compliance measures („compliance purposes“). It complements our general data protection declarations (including the KfW data protection principles, product-specific data protection notices, and data protection notices for employees).

1. Background of Data Processing

KfW Compliance must ensure adherence to applicable laws within its business operations. This applies, for example, to requirements of criminal law, administrative offenses law, tax law, data protection law, stock corporation law, labor law, antitrust law, and other binding legal requirements. If compliance does not sufficiently meet these legal requirements, disadvantages such as fines, penalties, claims for damages, or reputational damage may arise. To fulfill its legal obligations, KfW therefore takes appropriate measures to ensure compliance within the company. This also includes the processing of your data for compliance purposes. Violations of applicable law or internal company policies, including the Code of Conduct, are not tolerated and are pursued consistently.

Typical measures for implementing compliance purposes may include, for example, the following compliance actions:

  • Cooperation with public prosecutors, police, and other German and international authorities,
  • Evaluation of emails or other relevant documents or drives,
  • Comparison with results from internal audits or commissioned external auditors,
  • Evaluation of incoming reports (so-called whistleblowing),
  • Engagement of service providers, e.g., the use of lawyers, auditors, detectives, IT specialists, or tax advisors.

2. For What Purposes Do We Process Your Data?

KfW Compliance processes your data in accordance with applicable laws, particularly for the following specific compliance purposes:

  • Investigation of misconduct: Compliance measures may serve to uncover and clarify possible (employment) contractual breaches or criminal offenses by customers and employees of KfW, as well as other irregularities within the company; this includes the investigation and prosecution of fraud, corruption, tax offenses, money laundering, or other economic crimes;
  • Prevention of future misconduct: Furthermore, compliance measures typically aim to prevent or at least make it more difficult for future (employment) contractual breaches or criminal offenses by customers and employees of KfW;
  • Legal enforcement: Compliance measures may also serve to compensate for and defend against impending economic or other damages or disadvantages for KfW, thereby ensuring effective legal defense, the exercise, and enforcement of rights. For example, the KfW Compliance Department may conduct compliance measures to prepare for labor court proceedings or other legal disputes;
  • Relief for customers and employees: KfW Compliance also takes appropriate compliance measures to clarify possible accusations against customers and employees of KfW who are unjustly suspected and to relieve them (so-called rehabilitation);
  • Implementation of legal obligations: KfW Compliance is subject to comprehensive legal supervisory and compliance obligations. These arise, among other things, from Sections 130, 30 of the Administrative Offenses Act (OWiG) and Sections 93, 111 of the Stock Corporation Act (AktG). Compliance measures typically serve to implement these and other legal obligations of KfW;
  • Implementation of cooperation obligations: Compliance measures may also serve to fulfill legal cooperation obligations of KfW's Compliance Department in the context of criminal investigations or other administrative procedures.

Additionally, possible purposes for data processing include those mentioned in the KfW data protection principles, the data protection notices for employees under Section 3, and the product-specific data protection notices under Section 4

3. Which Data or Data Categories Are Affected by Compliance Measures?

In the context of compliance measures, we may process the following data or data categories about you:

  • Personal information: We may process personal information about you in the context of compliance measures (e.g., name, private address, private phone number, private email address);
  • Employment information: Additionally, we may process employment-related information about you in the context of compliance measures (e.g., position in the company, job title, possible supervisory role, work email address, work phone number);
  • Information on relevant facts: Compliance measures often relate to specific facts. The investigation and evaluation of relevant information regarding the respective facts may allow conclusions about your behavior or actions you have taken. This may include, in individual cases, breaches of duty or criminal offenses;
  • Documents: KfW Compliance may also evaluate documents in the context of compliance measures. Typically, these will be documents that customers must submit for application purposes (e.g., invoices, notices, identity proofs, etc.). For employees, this may also include work-related documents (e.g., travel expense reports, time records, contracts, performance records, travel logs, or invoices). These documents may also contain personal data about you;
  • Communication behavior: Additionally, compliance measures may allow conclusions about your communication behavior when using company communication systems. For example, KfW Compliance may access the contents of emails in your work email inbox during email evaluations. Furthermore, KfW Compliance may evaluate log data or metadata;
  • Private content: In individual cases, the data sets to be evaluated may also contain private content about you. This applies, for example, in the context of email evaluations. However, the Compliance Department will ensure through appropriate technical and organizational measures that data sets containing purely private content are not evaluated;
  • Data on criminal convictions and offenses: In the context of compliance measures, we may also need to collect data about you that allows conclusions about criminal offenses or criminal convictions related to you. KfW Compliance will process this data only in accordance with the relevant data protection regulations, particularly Article 10 of the GDPR;
  • Special categories of personal data: In individual cases, we may also collect special categories of personal data within the meaning of Article 9(1) of the GDPR in the context of compliance measures. This includes, for example, health data, data regarding possible union membership, biometric data, or data about political or religious beliefs. KfW Compliance will process such data only in accordance with the relevant data protection regulations, particularly under Article 9(2) of the GDPR or Section 26(3) of the BDSG.

4. What is the legal basis for processing your data?

KfW Compliance will process your data in the context of compliance measures only to the extent that an applicable legal provision permits it. This includes, in particular, the provisions of the GDPR, the BDSG, and other relevant legal regulations. KfW Compliance will base data processing in the context of compliance measures primarily on the following legal grounds:

  • Implementation of the employment relationship (Section 26(1) Sentence 1 BDSG): Data processing in the context of compliance measures may be necessary for the establishment, execution, and termination of the employment relationship with the respective affected employee. This applies, for example, to general compliance measures aimed at improving the internal compliance structures of KfW Compliance. Compliance measures to uncover breaches of employment contracts that do not constitute a criminal offense may also be justified under Section 26(1) Sentence 1 BDSG. Compliance measures may also be necessary for the settlement of employment relationships, for example, in the context of labor court disputes with the respective employee;
  • Investigation of criminal offenses (Section 26(1) Sentence 2 BDSG): If compliance measures serve to uncover possible criminal offenses in the context of employment relationships, they may be justified under Section 26(1) Sentence 2 BDSG. However, KfW Compliance will only rely on Section 26(1) Sentence 2 BDSG if documented factual indications justify the suspicion of a criminal offense in the employment relationship and the interests of the affected employee do not outweigh;
  • Implementation of legal obligations (Article 6(1)(c) GDPR): As already stated in Sections 1 and 4, KfW Compliance is subject to comprehensive legal supervisory and compliance obligations. The compliance measures carried out by KfW Compliance thus also serve to implement these legal obligations;
  • Protection of legitimate interests (Article 6(1)(f) GDPR): KfW Compliance may also process your data to protect your or a third party's legitimate interests. These legitimate interests may include, in individual cases:
  • Legal defense: KfW Compliance conducts compliance measures, among other reasons, to avert damage from its own company. Data processing thus also serves the legitimate interests of KfW Compliance in the assertion, defense, and exercise of legal claims.
  • Improvement of compliance structures: Compliance measures may also serve to improve the internal compliance structures of KfW Compliance. For example, KfW Compliance may use compliance measures to identify and address possible weaknesses in its internal compliance organization. This is also a legitimate interest of KfW Compliance.
  • Support for accused employees: Compliance measures can also serve to exonerate accused employees.. In principle, this is a legitimate interest of a third party.
  • Implementation of foreign legal regulations: In addition to national and EU legal requirements, KfW’s Compliance is also subject to comprehensive legal provisions from countries outside the EU in the area of compliance. This includes, for example, anti-corruption or competition regulations under US law. The implementation of such foreign legal regulations is also generally recognized as a legitimate interest.

KfW Compliance will ensure that compliance measures are only carried out to the extent that no conflicting legitimate interests and rights of the affected customers and employees outweigh.

5. Disclosure of Your Data

KfW Compliance will only disclose your data to third parties in the context of compliance measures if there is a legal basis for doing so or if we have previously obtained your consent for the corresponding data transfer. In the context of compliance measures, the following recipients may be considered:

  • Other group companies: To clarify possible compliance issues, we may need to transfer your data to other group companies of KfW. Such internal group data transfers are particularly relevant when compliance measures are based on issues that affect multiple group companies.
  • Courts, authorities, and other public bodies: KfW Compliance may also disclose the results of compliance measures to public authorities. This may involve German or foreign public prosecutors, courts, or other authorities. Such disclosure may be necessary, particularly when KfW Compliance is legally obligated to disclose the corresponding data. This may occur, for example, in the context of criminal investigations.
  • Service providers: In conducting compliance measures, we may also rely on the support of external service providers, such as law firms or auditing firms. We will ensure through appropriate measures that these service providers process your data only in accordance with the relevant data protection regulations.
  • Instruction-bound processors: We may also involve processors within the meaning of Article 28 GDPR in the context of compliance measures, e.g., in document management. KfW Compliance will ensure that these processors only process data for KfW Compliance based on a valid data processing agreement.
  • Other third parties: If this is necessary for the implementation of the purposes mentioned in this data protection information and no conflicting legitimate interests of affected persons outweigh, the disclosure of your personal data to your service providers (energy consultants or other invoicers) as well as opposing parties or insurers may also be considered.

The KfW data protection principles and the data protection information for employees each contain a further listing of possible recipients of your personal data under Section 4, while the product-specific data protection notices contain this information under Section 6.

If we have not collected your personal data processed for compliance purposes directly from you, we typically receive it from the parties mentioned above in this section of the data protection information, as well as from internal or external whistleblowers, business partners, or similar sources.

6. What Data Protection Rights Do You Have?

As an affected person, you can assert various rights. To exercise your rights, you can contact KfW Compliance using the contact details provided in Section 2.

The rights of affected persons include, in particular:

  • Right to access (Article 15 GDPR);
  • Right to rectification (Article 16 GDPR);
  • Right to erasure (Article 17 GDPR);
  • Right to restriction of processing (Article 18 GDPR);
  • Right to lodge a complaint with a data protection supervisory authority;

The KfW data protection principles explain the conditions and scope of the individual rights of affected persons under Section 7, while the data protection informations for employees provide this information under Section 8, and the product-specific data protection notices under Section 2.

7. How Long Do We Store Your Data?

KfW Compliance will store data collected in the context of compliance measures in accordance with the relevant data protection regulations, particularly in accordance with Article 17 GDPR. Thereafter, KfW will generally delete your data when it is no longer necessary for the compliance purposes mentioned in this data protection information. However, legal retention requirements or legitimate interests of the Compliance Department may justify a longer retention of your data. For example, KfW Compliance may retain your data during ongoing legal disputes resulting from possible compliance measures. The retention periods and deletion routines will be determined on a case-by-case basis, considering KfW's retention interests, the importance of retention for KfW Compliance, the legitimate interests of affected persons in deletion, and the likelihood that a suspicion reported in the whistleblower system is valid.

The KfW data protection principles under Section 6, the data protection notices for employees, and the product-specific data protection notices under Section 7 contain further information on the relevant provisions regarding the storage of personal data of customers and employees.

8. To What Extent Are Automated Individual Decisions or Profiling Measures Carried Out?

In the context of compliance measures, neither automated individual decisions nor profiling measures within the meaning of Article 22 GDPR take place.

9. Who Is Responsible for Processing Your Data?

The responsible party for processing your data within the meaning of Article 4(7) GDPR is:

KfW Group
Palmengartenstraße 5-9
60325 Frankfurt am Main

+49 69 74310

Depending on the scope and nature of the planned measures, KfW Compliance may engage independent service providers to carry out the corresponding compliance measures. In this case, the service providers often act as independent data controllers within the meaning of Article 4(7) GDPR. Such service providers may include auditors, law firms, or tax advisors.

Further information on the KfW data protection principles

Contact

KfW Group

Compliance