Tip: Activate javascript to be able to use all functions of our website

Data Protection

KfW Privacy Notice

You can rely on the protection and security of your personal data: we consider it our responsibility to protect your privacy when processing your personal data. The following privacy notices provide an overview of the processing of your data and the rights you have under data protection regulations when using the products and services of KfW Group.

1. Who is responsible for data processing and whom can I contact?

The following party is responsible:

  • KfW (hereinafter referred to as ‘we’ or ‘us’)
    Palmengartenstrasse 5-9
    60325 Frankfurt, Germany
  • Tel: +49 69 7431-0
    Fax: +49 69 7431 29 44

You can reach our company data protection officer at:

  • KfW
    Data protection officer
    Palmengartenstrasse 5-9
    60325 Frankfurt, Germany

2. Which sources and data does KfW use?

We process personal data that we receive from our customers, business partners and website visitors in connection with the use of our website, the use of our portals, subscription to newsletters and in connection with our business relationships with these groups.

Personal data processed by us refers in particular to personal details (such as name, address, telecommunications data, date and place of birth, marital status), identification data (such as ID, residence registration data), contractual data, advertising and sales data, documentation data, registration data and similar information.

3. For what purpose does KfW process your data and on what legal basis?

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable legal regulations.

For technical reasons, it is necessary to collect and store certain personal data when you visit our website and our portals, such as the IP address, the date and duration of your visit, the websites used, the identification data of the used browser and operating system type and, if applicable, the website from which you arrived at our site. The legal basis for processing your personal data in this context is Article 6(1)(f) GDPR.

In addition, the products and services cited below, which you can find on our website, may require you to provide personal data in order to use them.

3.1 General communications and mailing of newsletters.

  • general communications, particularly via the contact form,
  • processing other enquiries,
  • mailing of newsletters

We store and process your data for inquiries for the purpose of customer information and support. You can object to this type of processing at any time. Any further use and disclosure of your data does not take place. The basis for the processing of your personal data in this context is Article 6(1)(1)(f) GDPR. According to this, the processing of personal data is permitted if this is necessary to purpose legitimate interests, except where such interests are overridden by the interests of the data subject which require protection of personal data. We have a legitimate interest in optimizing prospect/customer support. We protect the data concerned in such a way that we do not see any major disadvantages for you.

If you have given us your consent to process personal data for specific purposes (e.g to send our newsletter), this consent serves as the legal basis for processing the data (Article 6(1)(1)(a) GDPR). Consent which has been granted may be revoked at any time. This also applies to revoking declarations of consent that were issued to us before the GDPR took effect, i.e. before 25 May 2018. If consent is revoked, the legality of data processing carried out before consent was revoked is not affected.

3.2 Portal use

  • Use of our portals, including the “Meine KfW” service portal, the KfW grant portal and the online loan portal

The processing of your personal data in the context of using this portal is generally a prerequisite for concluding and fulfilling a contract with you or entering into a preliminary agreement with you in our promotional programmes. For this purpose, we process your personal data on the basis of separate terms of use to be able to provide you, as the person using the portal, with the respective functionalities thereof. You are not legally obligated to share your personal data with us. Without this data, however, we will not be able to execute the relevant contract with you. The legal basis for this processing is Article 6(1)(1)(b) GDPR. This provision permits the processing of personal data if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps prior to entering into a contract.

As part of the contractual services provided by KfW, selected KfW portals contain the option for users to design the content of the portal according to personal needs for prolonged use. The processing of personal data required for this is used exclusively for the aforementioned purposes.

In addition, we wish to inform you in particular about the processing of your personal data in connection with the use of our “Meine KfW” service portal:

You can use “Meine KfW” (meine.kfw.de) via our website. “Meine KfW” is a free personal service portal. It enables you to register and create an account for the preparation and/or submission of promotional applications, the submission of evidence, and the management of promotional data in certain KfW promotional programmes.

The following information under this section is intended for you, as the person using the “Meine KfW” portal. We will inform you about the processing of personal data of interested parties, applicants and funding recipients, including to the degree that processing is carried out or initiated, whether in whole or in part, via “Meine KfW”, separately in the “Product-specific data privacy notices and information on the right to object in domestic promotional business”.

a.) Registration and creation of a user account under “Meine KfW”

To use “Meine KfW”, you must register, stating the necessary information (surname, first name, residential address, email address, username, password) and provide confirmations required as part of the registration process. This information is required for the registration and administration of your user account, for the use of “Meine KfW”, and for the purpose of contacting you in this regard (e.g. status emails). In particular, you will receive an activation link to the specified email address during registration. By activating your user account, your registration in “Meine KfW” is complete and the user account has been created. If your account is not activated, your data will promptly be deleted from our systems.

b.) Additional voluntary information and options

When using “Meine KfW”, you can add further personal details to your user account, optionally enhance the security settings for your user account and individually configure settings according to your usage preferences. This information and settings are voluntary and can be deactivated or deleted at any time. You can set up two-factor authentication to increase access protection for your “Meine KfW” user account. When activated, an additional second factor for authentication (one-time password) is required in addition to your username and password when logging in.

c.) Technical data

In technical terms, we use an identity and access management system operated on KfW systems for the purpose of access control and user authentication as part of the registration and login for “Meine KfW”. We log the activities of the person using the portal in “Meine KfW” to the extent permitted by law. There is no evaluation of individual usage behaviour. For the storage of technically necessary data as well as for the use of cookies and similar technologies, including in the context of registration and use at “Meine KfW”, please also refer to the provisions under clause 3.6 and to KfW’s cookie notices.

Within the context of providing “Meine KfW”, KfW uses central infrastructure and cloud services to achieve reliable computing and user-optimised data processing with correspondingly short processing times and a high level of multi-layered security methodology. KfW only uses server locations within the European Union and does not intend to transfer your data to third countries. Nevertheless, as part of an international group, the European cloud service provider used by KfW may be obliged to hand over personal data to security authorities via its parent company on the basis of non-European legal systems – in particular the United States (USA). KfW has taken extensive security measures in this regard – both contractual and technical – to exclude corresponding access risks. In addition, the cloud service provider used is obliged to comply with the EU standard contractual clauses and is certified under the EU-US Data Privacy Framework.

The data transmitted to the portal as part of using “Meine KfW”, including your registration and account details as well as the current status and detailed data on individual promotional measures, will be stored in the portal at the longest for the duration of your user account, for the purpose of appropriate and user-optimised provision of the functionalities under “Meine KfW” in accordance with defined deletion deadlines. The deletion concept provides for the deletion of your user account, including your registration and account details, in particular if you have not logged into “Meine KfW” for more than two years after completing registration, and no further promotional measures are administered in your “Meine KfW” user account. Previous promotional measures will be deleted from your “Meine KfW” user account three years after processing is complete. In addition, you can arrange for the deletion of your user account yourself at any time, provided no promotional measure is currently being processed under “Meine KfW”.

The complete recording and storage of data on promotional measures is carried out outside the portal in accordance with the statutory retention periods.

3.3 Analysis of user behaviour and direct marketing – for the purpose of safeguarding legitimate interests:

  • testing and optimising demand analysis procedures for the purpose of directly approaching customers,
  • advertising or market research and polling, insofar as you have not objected to the use of your data,
  • measures in relation to business management and the further development of services and products.

The legal basis for processing your personal data in this context is Article 6(1)(1)(f) GDPR unless we have, in individual cases, obtained your consent. Pursuant to this provision, processing personal data is permissible if this is necessary for the purposes of legitimate interests except where such interests are overridden by the interests or fundamental rights of the data subject which require that the personal data are not processed. We have a justified interest in aligning our offers with customer behaviour and optimising them. We believe that these interests prevail since, as an international financial institution, we must control and optimise our offers in order to fulfil our promotional mandate. The alignment with our customers allows us to offer and optimise services according to the needs and interests of our customers. We protect the relevant data in such a way that we do not see any overriding disadvantages for you.

3.4 Risk management and compliance – for the purpose of safeguarding justified interests:

  • assertion of legal claims and defence in legal disputes,
  • prevention and investigation of criminal activities,
  • guarantee of IT security and IT operations at the bank,
  • risk management at KfW Group

The legal basis for processing your personal data in this context is Article 6(1)(1)(f) GDPR. Our justified interest consists of complying with applicable legal provisions, maintaining the security of our IT systems and, in case of non-compliance with legal requirements or violations of security regulations, responding adequately to such circumstances, for instance by asserting legal claims. We believe that these interests prevail since, as a bank, we are subject to a significant number of regulatory requirements and have a responsibility towards our customers to ensure that the corresponding requirements and security regulations are complied with. We protect the relevant data in such a way that we do not see any overriding disadvantages for you.

3.5 Social media

You can access various social media from our website.

Caution: When choosing one of the following links, you will leave our website and be directed to the website of a social media platform. Any information available there was created without any involvement from us, and we are therefore not responsible for this content. We do not accept any liability for the information being up-to-date, accurate or complete. Any reference to social media does not imply any approval on our part.

Particularly for reasons of data protection compliance, the relevant social media cannot be accessed directly. Corresponding notes are therefore displayed. In addition, you may first have to click on integrated buttons, thus giving your express consent to communication with the social media platform. Only after that will the browser connect you by establishing a direct connection with the social media platform’s servers.

Please keep in mind that we are not aware of nor do we influence how and what data find their way to the social media platform.

By activating the button, you will provide the social media platform with the information that you have opened one of the web pages of the platform on the Internet. If you are already registered with the social media platform, it will be able to link your visit with your account on the social media platform. However, even if you have not yet registered with the social media platform, it is not possible to preclude the possibility that it will collect and/or store your IP address after you click on the platform.

You can find more information on social media use by KfW here.

3.6 Cookies and other technologies for website analysis

We use cookies and other technologies for the operation of our website, as well as for a pseudonymised recording of its usage. In this way, we can conduct analyses of user behaviour by collecting and analysing the information communicated by your browser. However, none of these analyses are linked to individual persons. Any personal identification characteristics, namely in this case the IP address, are deleted at the moment of processing and replaced by an indicator, which makes it impossible or at least extremely difficult to identify the data subject. This methodology ensures that KfW is routinely unable to establish a concrete link to particular persons.

In our cookie notes you can find detailed information on which cookies and other technologies are used for which concrete purposes and on which legal basis this is done. You can also find opt out-options there.

You can access the cookie notes by clicking on the blue circular icon with the fingerprint at the bottom left of this page.

3.7 Chat: Chatbot and transfer to live chat

You can use the function of the KfW chatbot on this website. Your IP address is collected during use and retained for three days for technical reasons. We have a legitimate interest in the collection and storage of the IP address (Article 6(1)(f) GDPR). This is necessary for the need-based design of our KfW chatbot and for guaranteeing a problem-free service. The technical operation of the KfW chatbot is carried out by a carefully selected service provider. No personal data are transmitted to any country outside the European Union or the European Economic Area.

If you use the KfW chatbot, please do not enter any personal or confidential data such as your name, address or account number. Our chats are stored for 30 days in anonymised form.

If you use the live chat, you will be referred to a KfW specialist. You can enter personal data or confidential data, such as name, address or business partner number (BP number), in the live chat. KfW stores the entire chat history with the data it contains and automatically deletes it after six years if a customer relationship exists or arises. If no contractual relations are established, the data is automatically deleted after six months on the basis of KfW’s legitimate interest. In principle, no personal data is transmitted to any country outside the European Union or the European Economic Area. If, in exceptional cases, your data is transferred to countries outside the EU (for example, if it is necessary to rectify technical errors), this takes place in close consideration of the requirements of Art. 44 et seqq. GDPR, and an appropriate level of data protection is ensured (e.g. appropriateness decision of the EU Commission, EU standard contractual clauses or other suitable guarantees within the meaning of Art. 44 et seqq. GDPR).

3.7 Authentication procedure for the KfW Förderassistent funding tool

To enable the use of the KfW Förderassistent funding tool (https://foerderassistent.kfw.de), your surname, first name, email address and telemetric data are communicated to the Microsoft Corporation in non-EU countries during the registration process. This serves the technically necessary purpose of being able to authenticate your registration process by sending an email. The data processing is based on the performance of tasks carried out in the public interest (Article 6(1)(e) GDPR). The Microsoft Corporation has undertaken to comply with the data protection standards of the EU. Your data are stored by the Microsoft Corporation for a maximum of 30 days and then deleted.

3.8 Authentication procedure for the KfW Förderassistent funding tool

To enable the use of the KfW Förderassistent funding tool (https://foerderassistent.kfw.de), your surname, first name, email address and telemetric data are communicated to the Microsoft Corporation in non-EU countries during the registration process. This serves the technically necessary purpose of being able to authenticate your registration process by sending an email. The data processing is based on the performance of tasks carried out in the public interest (Article 6(1)(e) GDPR). The Microsoft Corporation has undertaken to comply with the data protection standards of the EU. Your data are stored by the Microsoft Corporation for a maximum of 30 days and then deleted.

3.9 Authentication information

KfW uses its authentication information (e.g. user name and password) to give only you access to your confidential data.

You should therefore

  • keep your authentication information secret and do not share it with third parties,
  • change them immediately if you suspect a password has been compromised,
  • do not use passwords more than once.

4. Who receives my data?

Within the bank, the departments that need your data to fulfil our contractual and legal obligations receive access to your data. Service providers and subcontractors whose services we use may also receive data for these purposes if they observe banking secrecy and data protection. With regard to the transfer of data, we have undertaken to maintain confidentiality concerning all customer-related facts and assessments about which we become aware (banking secrecy).

We may only disclose information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide such information for other reasons. Under these conditions, recipients of personal data could include:

  • Public bodies and institutions (e.g. the Deutsche Bundesbank, the Federal Financial Supervisory Authority, the Federal Court of Auditors, courts of auditors in the German states, the Federal Parliament including its committees, the European Banking Authority, the European Central Bank (ECB), the European Investment Fund (EIF), the European Investment Bank (EIB), the European Commission, German federal and state ministries, financial authorities and official bodies) in the event of a legal or official obligation.
  • Other credit and financial services institutions or similar institutions to which KfW transfers personal data for the purpose of managing its business relationship with you (e.g. commercial banks or credit agencies, depending on the contract)
  • Service providers which process data on our behalf (e.g. data centres).
  • Specialists and the German Energy Agency (dena), if involved in the promotion.
  • Other bodies or service providers, insofar as we refer explicitly to them in these privacy notices or other KfW privacy policies.

Other data recipients may be bodies for which you have given us your consent to transfer data, or for which you have exempted us from banking secrecy by agreement or consent.

If you need further information on individual recipients, please do not hesitate to contact us.

5. Is data transferred to a third country or an international organisation?

Data are not transferred to entities in countries outside of the European Union (known as third countries), with the exception of the cases specified in these privacy notices or other KfW privacy policies.

In the event of a transfer to a third country, this shall be conducted under the application of appropriate guarantees of an adequate level of data protection (Article 44ff GDPR).

6. How long will my data be stored?

How long personal data are stored is based on the respective processing purposes. It is not possible to list the various storage periods in a reasonable format here. The criteria to determine the specific individual storage periods are the following:

  • If we only process data for the purpose of executing a contractual relationship, we store the data for the duration of the contractual relationship.
  • Where we process data in connection with anticipated legal disputes, we will store the data until the court proceedings have definitively been completed or until the claims at issue have become time-barred in accordance with the applicable civil law provisions. The general limitation period is three years.
  • In addition, we are subject to various storage and documentation requirements arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG), among others. The periods for retention and documentation stipulated in these laws range from two to ten years.
  • When using the online version of the electronic form archive and the repayment calculator, the entered data are retained in the main memory of our server only for the duration of the use of the applications: the process duration is currently set to one hour from the start of the session. Data are not stored either temporarily or permanently.

In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR).

7. What are my data privacy rights?

If the statutory prerequisites are met, you have the following rights in accordance with Articles 15 to 22 GDPR:

  • Right of access in accordance with Article 15 of the GDPR, i.e. the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to this personal data and other information;
  • Right to rectification in accordance with Article 16 of the GDPR if personal data concerning you is not correct;
  • Right to erasure in accordance with Article 17 of the GDPR, e.g. when the personal data is no longer necessary in relation to the purposes for which it was processed;
  • Right to restriction of processing in accordance with Article 18 of the GDPR; and
  • Right to data portability in accordance with Article 20 GDPR, i.e. the right to receive your personal data from us in a structured, commonly used and machine-readable format and the right to transmit that data to another controller. However, in accordance with the second sentence of Article 20(3) GDPR, this right shall not apply to processing necessary for the performance of a task carried out in the public interest.

With respect to the right of access and the right to erasure, the restrictions pursuant to Articles 34 and 35 of the German Federal Data Protection Act apply.

In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR).

8. Note on data processing for undisclosed assignments and the purchase of claims receivable

In the context of undisclosed assignments for the granting of securities in business transactions, KfW is given the name, address and contractual data of the relevant debtors from the grantor of the collateral or from the seller of the receivables for the purpose of the adequate individualisation of the security collateral required by law. Insofar as the assigned receivables are not liquidated by KfW, the data are collected and stored exclusively for administrative purposes (recording of the receivables assigned as collateral) and they are not processed further in any form. In this situation, KfW is not subject to any notification requirement with regard to data owners in accordance with Article 14(5)(b) GDPR.

There is no transfer of the data to third parties or to bodies in a third country during the course of such an undisclosed assignment. The data are deleted after the expiry of the statutory storage obligations. There is no automated individual decision-making, including profiling.

Right to revoke your consent

You can revoke consent that you have granted to process data at any time. This does not, however, affect the legality of processing carried out before consent was revoked. If you revoke your consent, we shall no longer process the data for these purposes.

Information about your rights to object

Right to object in individual cases in accordance with Article 21 GDPR

You have the right to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(1)(f) GDPR (data processing for the purposes of legitimate interests) or Article 6(1)(1)(e) GDPR (data processing for the performance of a task carried out in the public interest), insofar as reasons arise from your particular situation that provide arguments against the processing of this data. This also applies if automated individual decision-making is used (Article 22 GDPR).

If you raise an objection, we will no longer process your personal data, unless we can provide compelling evidence as to why processing is worthwhile that override your interests, rights and freedoms, or unless processing serves to assert, exercise or defend legal claims. This does not apply if we conduct direct advertising on the basis of the aforementioned provisions. In the event of an objection to the processing of personal data for direct marketing purposes, the personal data concerned will no longer be processed for these purposes without restriction and regardless of any balancing of conflicting interests.

Objections pursuant to Article 21 GDPR can be addressed in writing or by email to KfW or KfW’s Data Protection Officer using the contact information provided under clause 1. Alternatively, an objection that only concerns direct marketing can be sent to .

Last updated: September 2023

Contact

Data Protection Officer