Privacy Notice for Securitisation Repository Services

I. Introduction/Controller

This privacy notice applies with regard to the processing of personal data by

European DataWarehouse GmbH (“European DataWarehouse“, “we“, “our“, “us“)
Walther-von-Cronberg-Platz 2
60594 Frankfurt am Main
Germany
Tel .: +49 69 50986 9300

in connection with the provision of data analysis and management services, as well as with regard to research activities.

 

II.Name and address of the data protection officer

Susanne Klein
Beiten Burkhardt Services GmbH
Mainzer Landstrasse 36

60325 Frankfurt am Main
Germany
Tel: +49 69 756095-582
E-Mail: gdpr@eurodw.eu

 

III. Categories of personal data

Personal data of end-customers (data subject) of Data Owners as provided in the data uploaded to ED Software, such as:

  • Name and contact details pseudonymised;
  • Financial details (relating to loans payments under loans).


IV. Processing purposes, legal basis and categories of recipients

We process the personal data of the data subjects in order to:

a) fulfil our regulatory requirements as a designated securitisation repository under Regulation (EU) 2017/2402, e.g., for the storage, analysis and data quality verification with regard to transactions in financial instruments or portfolios on ED software as described in your agreement with EDW;

b) conduct data analysis and research activities, either for our own purposes, in the context of any of the different projects and initiatives in which we participate, e.g., Green Auto Securitisation project, or for the benefit of the securitisation market.

Below you can find a description of the purposes for which we process personal data, including the recipients or categories of recipients to whom we transfer personal data for the purposes mentioned in each case and the relevant legal basis.

Any access to personal data is restricted to those persons who need to know the respective personal data in order to perform their professional duties (“need-to-know principle”).

We may transfer your personal data for the respective purposes to the following recipients and categories of recipients:

  • Private third parties – data users (investors and potential investors, credit rating agencies, consultancy firms, etc.), data vendors, counterparties involved in the relevant securitisations, parent and related companies of/to the Data Owners of the relevant securitisations, affiliated companies of EDW, partners and former partners in research projects, prospective customers.
  • Data processors – Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf of us under appropriate instructions as necessary for the respective processing purposes, including IT and other administrative services (e.g., billing services, hosting and/or maintenance of IT systems). The data processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.
  • Governmental authorities, regulatory and supervisory authorities, courts, external advisors, and similar third parties that are public bodies as required or permitted by applicable law.

1. We process personal data in order to comply with legal obligations (Art. 6 (1) c) GDPR) to which we are subject, including for the following purposes:

Collect, host, process and make available securitisation data under Regulation (EU) 2017/2402.

Participation in formal investigations and proceedings (including judicial proceedings) conducted by public authorities or governmental authorities, in particular, for the purpose of detecting, investigating and prosecuting illegal acts.
Complying with legal retention obligations (see VI. “Storage duration and deletion” below).

2. We process personal data to the extent necessary for the purposes of the legitimate interests pursued by us or by a third party (Art. 6 (1) f) GDPR), including for the following purposes:

Commercialise securitisation data received in our remit as a designated securitisation repository under Regulation (EU) 2017/2402.

Facilitate access to securitisation data to parties with a legitimate interest in the securitisation data hosted by EDW (e.g., transaction counterparties, parent or related companies, etc.).

Conduct data analysis and research activities, including, but not limited to projects and initiatives like, for instance, Green Auto Securitisation (GAS).
Explore business opportunities with third parties.

Maintain information security.

Participation in proceedings (including judicial proceedings) conducted by courts, law enforcement agencies, government agencies or public authorities, intergovernmental or supranational bodies, in particular for the purpose of detecting, investigating and prosecuting illegal acts, unless there is a statutory obligation.

 

V.Storage duration and deletions

We store personal data as long as it is necessary to fulfill the respective purposes. When we no longer need personal data to comply with contractual or legal obligations, it is either used for research purposes or deleted from our systems or anonymized. Something else only applies if we have to fulfill legal or official obligations, e.g., statutory retention obligations. In Germany such retention obligations may arise, in particular, under the German Commercial Code (Handelsgesetzbuch, “HGB“) or the German Fiscal Code (Abgabenordnung, “AO“), and may generally be 6 to 10 years (e.g. for contracts and business letters).


VI.Cross-border data transfer

Some of the recipients of the personal data will be located or may have relevant operations outside of the data subject’s country and the European Economic Area, such as in the USA, where the data protection laws may provide a different level of protection compared to the laws in the EU/EEA and with regard to which an adequacy decision by the European Commission does not exist. The countries which provide an adequate level of data protection from a European data protection law perspective include Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the Eastern Republic of Uruguay and the United Kingdom. With regard to data transfers to such recipients outside of the European Economic Area we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2021/914/EU)) with the recipients or taking other measures to provide an adequate level of data protection, where this is required under applicable law. We will provide the data subject with a copy of the respective measure we have taken upon request.

 

VII.Rights of the data subject

Under applicable data protection law the data subject has the right, in addition to the right to withdraw consents at any time (the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal) to make a complaint to a data protection supervisory authority. In addition, the data subject may be entitled to the following rights (though these rights may be restricted by national law). To exercise these rights, please contact us using the contact details provided under II. above.

1. Right of access: The data subject may have the right to obtain from us confirmation as to whether or not personal data concerning the data subject is being processed, and, where that is the case, to request access to the personal data. The right of access includes, among other things, the purposes of the processing, the categories of the personal data to be processed, and the recipients or categories of recipient to whom the personal data will be disclosed. However, this right is not unrestricted as the rights of other persons may limit the data subject’s right of access.
In certain circumstances the data subject has the right to receive a copy of the personal data processed by us. For further copies requested by the data subject, we charge a reasonable fee, where relevant calculated on the basis of administrative costs.

2. Right to rectification: The data subject has the right, where relevant, to request the rectification of inaccurate personal data. Depending on the purposes of the processing, the data subject may have the right to have incomplete personal data completed, including through the provision of a supplementary statement.

3. Right to erasure (right to be forgotten): Subject to certain preconditions, the data subject has the right to request us to erase personal data concerning the data subject and we may be obliged to erase such personal data.

4. Right to restriction of processing: Subject to certain preconditions, the data subject has the right to request that we restrict the processing of his/her personal data. In that case, the data concerned will be marked and only processed by us for certain purposes.

5. Right to data portability: Subject to certain preconditions, the data subject has the right to receive the personal data, which the data subject has provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to a different controller without hindrance from us.

6. Right to object: Subject to certain preconditions, the data subject has the right to object at any time to the processing of his/her personal data by us on grounds arising from his/her particular situation, and we can be required not to process the personal data any longer. If personal data is processed for direct marketing purposes, the data subject has an additional right to object at any time to the processing of personal data in relation to him/her for the purpose of such marketing. This also applies to profiling where this is connected to direct marketing. In that case, the personal data will no longer be processed by us for these purposes.