Privacy notice flow app

a. Personal Data actively provided by you:

• flow newsletter registration: After you have downloaded the flow app, you can voluntarily register to receive flow newsletters via the web view function in the app by inserting your email address (“Registration Data”), whereupon you will receive an email asking you to confirm your registration. The legal basis for the processing of such newsletter registration data, in this case your email address, is your consent, which you have given in the registration process via the web view function of the app.

b. Other passively collected information:

In addition to the personal data that you actively provide, the flow app may automatically collect, process and store certain information on an anonymous basis:

• Technical monitoring – such as where the app was downloaded from, aggregated usage, performance data or events that occur within the flow app. This technology is required to ensure the technical functionality of the app, to recognise errors and anomalies (e.g. to identify cyberattacks and to monitor if the app is accessible and app content like articles, magazines, videos or podcasts can be opened on different mobile devices). This analytical functionality will not be used for any marketing purpose. The legal basis for the technical monitoring is our legitimate interest.

c. Push notifications

For the creation and distribution of push notifications we use Firebase Cloud Messaging, which is a messaging service provided by Google Ireland Limited. These notifications may include updates of new flow articles, the release of our flow magazine and other important app release information (like new app functions or upcoming app releases).

If you agree to push notifications, Firebase Cloud Messaging will use a so-called Firebase installation ID to determine which devices to send messages to.

Firebase retains Firebase installation IDs until you withdraw your given consent to receive push messages in the flow app. After withdrawing your consent, Firebase Cloud Messaging will remove your data from live and backup systems within 180 days.

The legal basis for using push notifications is your consent. You can revoke your consent at any time by clicking on “More” in the app navigation and changing the “Notification settings” under “App settings”.

a. Transfer to service providers

The flow app itself doesn’t require IT services where an external service provider will have access to your personal data (Registration Data).

The flow app provides the voluntary option to subscribe to our flow newsletters via the web view function in the app. IT services for the newsletter subscription will be provided by an external service provider. When providing such services, the external service provider may have access to and/or may process your personal data. We request those external service providers to implement and apply security safeguards to ensure the protection and security of your personal data. The transfer of personal data to the newsletter subscription service providers is based on your consent, which you have given in the registration process via the web view function of the app.

b. Other recipients

Within the bank, those offices are given access to your data which require them in order to perform our precontractual and statutory obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they observe banking secrecy and our written instructions under data protection law. Recipients of personal data may be, for example processors to whom we transfer personal data in order to perform the business relationship with you. Specifically: support of EDP / IT applications, marketing, website/mobile application management.

c. International transfers of personal data

If service providers in a third country are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses or other appropriate legal safeguards.

Pursuant to the applicable data protection law you may have the right (i) to request access to your personal data you provided during the flow newsletter registration process by using the web view of flow app, (ii) to request rectification of your personal data, (iii) to request erasure of your personal data, (iv) to request restriction of processing of your personal data, (v) to request data portability, (vi) to object to the processing of your personal data (including objection to profiling; also other rights in connection with automated decision-making).

Please note that the above-mentioned rights might be limited under the applicable national data protection law. Please find further information on your rights below:

a. Right of access

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information include – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.

You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

b. Right to rectification

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You can change the Profile Data you provided during the newsletter subscription process on the website at any time under the following link: https://flow.db.com/profilechanges/profilechanges-preferences

c. Right to erasure (right to be forgotten)

Under certain circumstances you may have the right to obtain from us restriction of processing your personal data. In this case the respective data will be marked and may only be processed by us for certain purposes.

d. Right to restriction of processing

Under certain circumstances you may have the right to obtain from us restriction of processing your personal data. In this case the respective data will be marked and may only be processed by us for certain purposes.

e. Right to data portability

Under certain circumstances you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

f. Right to object

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. As we process and use your personal data primarily for purposes of carrying out the contractual relationship with you, we will in principle have a legitimate interest for the processing which will override your objection request, unless the objection request relates to marketing activities.

To exercise your rights please contact us as stated under Sec. 5 (Contact us) below.

You also have the right to lodge a complaint with the competent data protection supervisory authority (Der Hessische Datenschutzbeauftragte).

The consent given for subscribing to the flow newsletter remains unaffected by uninstalling the flow app. To withdraw the newsletter subscription, send an email to corporate.bank@db.com or access the “My profile and preferences” website by following this link: https://flow.db.com/profilechanges/profilechanges-preferences

In case of questions and to exercise the rights mentioned in Sec. 3 please contact us under the following email address: corporate.bank@db.com

Our data protection officer is available under the following address: Taunusanlage 12, 60325 Frankfurt/Main, datenschutz.db@db.com