KfW Privacy Notice
You can rely on us to ensure the protection and security of your personal data: we consider it our responsibility to protect your privacy when processing personal data. The following privacy notice will give you an overview of the processing of your data and the rights you have pursuant to data protection provisions when using the services and products of KfW Group.
1. Who is responsible for data processing and who can I contact?
The controller is:
You can contact our data protection officer at:
2. What sources and data does KfW use?
We process personal data which we receive from our customers, business partners and website visitors in connection with the use of our website, the use of our portals, the subscription to newsletters and in connection with our business relationship.
The personal data that we process include, in particular, personal details (e.g. name, address, telecommunication data, date and place of birth, marital status), identification data (e.g. identity card, registration data), contract data, advertising and sales data, documentation data, register data and comparable data.
3. For what purpose does KfW process your data and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and other applicable legal provisions.
You can use almost our entire internet offerings without being required to submit personal data. You are, however, required to submit personal data in order to be able to use below offerings and services, which you will find on our web pages.
3.1 General communication, use of portals and newsletters – for the purpose of performing contractual obligations and on the basis of your consent:
- general communication, particularly via the contact form,
- processing other enquiries,
- use of our portals such as, for instance, our grant portal or online loan portal,
The processing of your personal data in this context is, as a general rule, a prerequisite for concluding and performing a contract with you or entering into a pre-contractual relationship with you. You have no statutory obligation to provide personal data. Without these data, however, we will not be able to perform the relevant contract with you. The legal basis for this processing is Article 6(1)(1)(b) of the GDPR. This provision permits the processing of personal data if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps prior to entering into a contract.
If you have given us your consent to the processing of personal data for specific purposes (e.g. sending newsletters), such consent is the legal basis for the data processing (Article 6(1)(1)(a) of the GDPR). Any consent given may be withdrawn at any time. This also applies to the withdrawal of consent given to us prior to the applicability of the GDPR, i.e. before 25 May 2018. The withdrawal of the consent will not affect the lawfulness of the data processing carried out until the consent was withdrawn.
3.2 Analysis of user behaviour and direct marketing – for the purpose of safeguarding legitimate interests:
- testing and optimising demand analysis procedures for the purpose of directly approaching customers,
- advertising or market and opinion research to the extent you have not objected to the use of your data,
- measures in relation to business management and the further development of services and products
The legal basis for processing your personal data in this context is Article 6(1)(1)(f) of the GDPR unless we have, in individual cases, obtained your consent. Pursuant to this provision, processing personal data is permissible if this is necessary for the purposes of legitimate interests except where such interests are overridden by the interests or fundamental rights of the data subject which require that the personal data are not processed. We have a legitimate interest in aligning our offers with customer behaviour and optimising them. We believe that these interests prevail since, as an internationally operating financial institution, we must control and optimise our offers in order to fulfil our promotional mission. The alignment with our customers allows us to offer and optimise services according to the needs and interests of our customers. We protect the data concerned in such a way that we do not see any overriding disadvantages for you.
3.3 Risk management and compliance – for the purpose of safeguarding legitimate interests:
- establishing legal claims and defence in the event of legal disputes,
- prevention and investigation of criminal offences,
- ensuring IT security and the IT operations of the bank,
- risk management at KfW Group
The legal basis for processing your personal data in this context is Article 6(1)(1)(f) of the GDPR. Our legitimate interest consists in complying with applicable legal provisions, maintaining the security of our IT systems and, in case of non-compliance with legal requirements or violations of security regulations, responding adequately to such circumstances, for instance by establishing legal claims. We believe that these interests prevail since, as a credit instituion, we are subject to a significant number of regulatory requirements and have a responsibility towards our customers to ensure that the corresponding requirements and security regulations are complied with. We protect the data concerned in such a way that we do not see any overriding disadvantages for you.
3.4 Social media
You can access our social media channels (Facebook, YouTube, LinkedIn, Xing, Google+ and Twitter) from our website.
Caution: When choosing one of the following links, you will leave our website and be directed to the website of a social medium. Any information possibly available there has been created without any involvement on our part and we are therefore not responsible for such information. We do not assume any liability for such information being up to date, accurate and/or complete. References to social media do not imply any approval on our part.
- Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
- Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA
- Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- LinkedIn Ireland, 70 Sir John Rogerson’s Quay, Dublin 2, Irland
- XING AG, Dammtorstraße 30, 20354 Hamburg, Deutschland
- Shorthand Pty Ltd.
Particularly for reasons of data protection compliance, the relevant social media cannot be directly accessed. Corresponding notices will therefore be displayed. In addition, you may first have to click on integrated buttons, thus giving your express consent to the communication with the social medium. Only after that, the browser will connect you by establishing a direct connection with the servers of the social medium.
Please note that we ourselves have no definite information and no influence on how and what data are transferred to the social medium.
By activating the button, you will provide the social medium with the information that you have opened one of the web pages of the medium on the internet. In case you are already registered with the social medium, it will be able to link your visit with your account with the social medium. But even if you have not yet registered with the social medium, it cannot be excluded that, after clicking on the medium, it will collect and/or store your IP address.
Under no circumstances will data be used for the personal identification of a visitor (if this were at all technically possible) or linked with the data about the bearer of a pseudonym.
In order to protect our internet forms, we use the reCAPTCHA service of the enterprise Google Inc. (“Google”). The service includes sending your IP address and, where necessary, further data required by Google for the reCAPTCHA service to Google. Google’s differing privacy terms apply to these data. Further information on the privacy policies of Google reCAPTCHA can be found at .
4. Who will have access to my data?
Within the bank, those persons that need your data in order to perform our contractual and statutory obligations will be given access to your data. Service providers employed by us and persons employed by us in the performance of our obligations (Erfüllungsgehilfen) may also receive data for these purposes, provided that they comply with banking secrecy and data protection obligations. With respect to the disclosure of data, we undertook to keep all customer-related facts and assessments of which we become aware secret (banking secrecy).
We will only disclose information about you to third parties if this is required by statutory provisions, if you have given your consent or if we are entitled to disclose such information for other reasons. If these prerequisites are met, personal data may be disclosed to the following recipients:
- public bodies and institutions (e.g. the German Central Bank (Deutsche Bundesbank), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht), the Federal Audit Office (Bundesrechnungshof), the State Audit Offices (Rechnungshöfe der Bundesländer), the Federal Parliament (Bundestag) including the Federal Parliament Committees (Bundestagsausschüsse), the European Banking Authority, the European Central Bank, the European Investment Fund (EIF), the European Investment Bank (EIB), the European Commission, federal and state ministries (Bundes- und Landesministerien), fiscal authorities and administrative units (Ämter)) if there is an obligation to do so imposed by law or by the authorities.
- other credit and financial services institutions or similar institutions to which we transfer personal data for the purpose of managing our business relationship with you (depending on the relevant agreement: e.g. commercial banks, credit agencies).
- service providers which process data on our behalf (e.g. data centres).
- experts and the German Energy Agency (Deutsche Energie-Agentur – dena), to the extent they are involved in a promotional project.
Further recipients of data can be the bodies in respect of which you gave us your consent to the transfer of data and/or in respect of which you released us from our banking secrecy obligation by agreement or consent.
If you need further information on individual recipients, please do not hesitate to contact us.
5. Will any data be transferred to a third country or to an international organisation?
There will be no transfer of data to bodies in countries outside the European Union (so-called third countries).
6. For how long will my data be stored?
The period during which the personal data are stored depends on the relevant purposes of the processing. It is not possible to specify all of the different storage periods in a reasonable format at this point. The following criteria are used to determine the relevant storage periods in the concrete individual case:
- Where we merely process data for the purpose of managing a contractual relationship, we will store the data for the duration of the contractual relationship.
- Where we process data in connection with anticipated legal disputes, we will store the data until the court proceedings have definitively been completed or until the claims at issue have become time-barred in accordance with the applicable civil-law provisions. The general limitation period is three years.
- In addition, we are subject to various record retention and documentation obligations imposed by, inter alia, the German Commercial Code (Handelsgesetzbuch – HGB), the German General Fiscal Code (Abgabenordnung – AO), the German Banking Act (Kreditwesengesetz – KWG), the German Anti-Money-Laundering Act (Geldwäschegesetz – GwG) and the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG). The record retention and documentation periods provided for by these acts are two to ten years.
- When using the online version of the electronic collection of forms and the repayments calculator, the data entered will, following the start of the session, only be held in the main memory on our server for the time during which the applications are used, currently for a task duration of one hour. Data will neither be stored temporarily nor permanently.
7. What data protection rights do I have?
If the statutory prerequisites are met, you have the following rights pursuant to Articles 15 to 22 of the GDPR:
- the right of access pursuant to Article 15 of the GDPR, i.e. the right to obtain from us confirmation as to whether or not personal data about you are processed and, where that is the case, to obtain access to these data and further information;
- the right to rectification pursuant to Article 16 of the GDPR if personal data concerning you are inaccurate;
- the right to erasure pursuant to Article 17 of the GDPR, e.g. if the personal data are no longer required for the purposes for which they were processed; and
- the right to restriction of processing pursuant to Article 18 of the GDPR.
With respect to the right of access and the right to erasure, the restrictions pursuant to sections 34 and 35 of the German Federal Data Protection Act apply.
In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR).
Right to withdraw your consent
You may freely withdraw your consent to data processing at any time. However, this will not affect the lawfulness of the processing carried out on the basis of your consent until it was withdrawn. If you withdraw your consent or validly object to the further processing on the basis of your consent, we will no longer process the data for these purposes.
Information on your rights to object
Where we process personal data in order to perform direct advertising activities, you may object to the processing at any time and without giving any reasons.
There is no requirement as to the form of such objection. Please send your objection to:
- By mail:
z. Hd. Widerspruchsstelle
- By e-mail:
Individual right to object pursuant to Article 21 of the General Data Protection Regulation (GDPR)
You have the right to raise, at any time, an objection to the processing of your personal data which is carried out on the basis of a weighing of interests (Article 6(1)(1)(f) of the GDPR), provided that your particular situation provides reasons against such data processing. This also applies to any automated individual decision-making (Article 22 of the GDPR). If you raise an objection, we will no longer process your personal data for these purposes unless we are able to provide evidence of cogent reasons for the processing which are worthy of protection and which override your interests, rights and freedoms or unless the processing serves the purpose of establishing, exercising or defending legal claims.
Right to object pursuant to section 15 of the German Telemedia Act (Telemediengesetz – TMG)
Pursuant to section 15 of the German Telemedia Act, website visitors may object to the storage of their visitor data collected in anonymised form, so that such data will no longer be collected in the future.
In order to exclude Webtrekk web controlling, a cookie named “webtrekkOptOut” will be set by the domain. This objection will be valid for as long as you do not delete the cookie. In order to complete the objection, please click on the following link.