Privacy Policy

• Who is responsible for your data?
• To whom does this privacy policy apply?
• What is personal data and which of your personal data do we use?
• What categories of personal data do we process?
• Where do we get personal data from?

• Special categories of personal data ("sensitive data")
• Data of minors

• What (purpose of processing) do we process your data for?
• Purely informational use of our website
• Use of advanced features of our website
• Use of digital means of communication
• Use of your data for direct marketing
• Online events
• Other purposes (in particular security and abuse prevention)
• Cookies
• Use of Google Maps on our website
• What is our legal basis for using your personal data?
• Who gets your data?
• Is personal data transferred to a third country or to an international organisation?
• To what extent is my personal data used for profiling (scoring)?
• To what extent is there automated decision-making in individual cases?
• How long will we keep your personal data?

• Use of artificial intelligence (AI)
• Protection of your data
• Transparency

• What data protection rights do you have?
• Information about your right to object according to Art. 21 GDPR
• Do you have a complaint or is something still unclear?
• Why are there changes to the privacy policy?

The controller of your personal data and provider of this website is the

ABN AMRO Bank N.V. Frankfurt Branch

Mainzer Landstraße 1

60329 Frankfurt am Main

Further information about the bank can also be found in our imprint.

For any data protection enquiries, you can also contact us at:

ABN AMRO Bank N.V. Frankfurt Branch

Privacy Officer

Mainzer Landstraße 1

60329 Frankfurt am Main

Phone: +49 69 2177-0

E-mail: datenschutz@de.abnamro.com

In our group of companies, there is a Group Data Protection Officer, whom you can reach at the following contact details:

ABN AMRO Bank N.V.

Chief Privacy Officer

Gustav Mahlerlaan 10

1082 PP Amsterdam, Netherlands

E-Mail: privacy.office@nl.abnamro.com

This data protection notice applies to visitors to the publicly accessible areas of our websites. In addition, depending on the function used, they may also be relevant for persons who are not themselves customers of Bethmann HAL but are related to an interaction or transaction with our bank (e.g. payment recipients, authorised representatives, legal representatives, beneficial owners or citizens). Supplementaryor deviating data protection information may apply to individual products / services (e.g. online banking, push TAN, digital events); we will inform you separately about this or provide corresponding information / links.

This data protection notice deals with the processing of personal data (Art. 4 No. 2 of the European General Data Protection Regulation (hereinafter referred to as "GDPR")) on our websites. Personal data is information that either relates directly to you as a natural person or can be associated with you, i.e. can be related to you. Personal data includes, for example, your personal details (first name, surname, address, birthday, etc.), all types of contact details (e.g. telephone, e-mail address), gender, marital status, other information that you would find in an application and CV (e.g. about your education, professional experience) and any other information that we can assign to you as a natural person (e.g. data about your use of the telemedia we offer,  e.g. time of access to our website, apps or newsletters, pages clicked on by us or entries).

Depending on the use of our website, we process in particular:

• Usage / device data (e.g. IP address, time of access, pages accessed, browser / deviceinformation),
• Communication data (e.g. email address, content of your request),
• Contract/transaction reference (if you are a customer or concerns a transaction/interaction: e.g. assignment / reference data),
• Event/participation data (e.g. name, e-mail, technical metadata for online formats),
• Cookies/consent data (e.g. consent status, cookie categories).
• If we use audio/video communication (e.g. video consultation) or transcription functions in online meetings, we will provide separate information in advance about the purpose, legal basis, recipientand storage period.

We receive personal data in particular:

• from you when you use our website, fill in forms or contact us, and
• from other sources, to the extent permitted by law, such as publiclyavailablesources/registers, or
• service providers or third parties involved in the provision of digital functions or in the processing of transactions.

We only process special categories of personal data within the meaning of Art. 9 GDPR (e.g. biometric data for unique identification, health data)if this is legally permitted/required or if you have given your expressconsent. In caseswhere identification or security procedures are used, we will inform you separately about this inadvance.

If we process personal data of minors (e.g. when legal representatives act in the context of an interaction/request), this will only be done within the framework of the legal requirements. If consent is required, it must be given by the parent or legal guardian.

Anyone who receives personal data from you and processes it must be entitled to do so. The law calls this "a basis for processing" your personal data. We process your personal data in accordance with the statutory provisions, in particular the Telecommunications-Telemedia Data Protection Act (TTDSG), the GDPR and the Federal Data Protection Act (hereinafter referred to as the "BDSG") for the following purposes:

If you use our website purely for informational purposes (if you do not provide us with information via the contact option or make use of other functions of the website), we process the data transmitted by your browser in order to enable you to visit the website by means of cookies for statistical purposes and to improve our internet offer. For the purely informational use of our website, there is no obligation to actively provide personal data.

For more information, please see the "Cookies" section below.

In addition to the purely informational use of our website, we offer various services and functions that you can use if you are interested, such as password-protected areas for online banking, a contact form and social media or other third-party functions (e.g. maps from Google). If you use extended functions of our website, we need the information marked as mandatory fields in order to process your request or to provide the function. Without this information, the respective function may not be used.

The collection and processing of personal data in connection with the password-protected areas is only carried out by prior agreement between you and us – please feel free to contact us.

When you contact us by e-mail or via the contact forms, at least your e-mail address and, if applicable, other personal data will be collected, processed and used by us to answer your enquiry, depending on the nature of your enquiry. Information required by us is marked accordingly with an asterisk (*). Voluntary information is often possible, but not marked separately. Information that you send us via the contact form is encrypted and is therefore not visible to third parties.

We provide separate information about the social media or other third-party functions below.

In addition, we process your personal data in particular in the context of the following events:

• to stay in personal contact with you even in the context of digital events,
• to offer you video banking,
• to find out your opinion about our products and services through event-related surveys,
• to ensure targeted business communication. This enables us, for example, to offer you specific services, to respond to your specific inquiries and, where applicable, to comply with existing legal obligations. In addition, this procedure serves to protect the data contained in the communication in order to prevent its access and use by unauthorized persons. It is not intended to pass on contact details or other personal information about contact persons to third parties, unless this is necessary for the specific business relationship, such as the execution of a customer order, or for the fulfilment of legal obligations.

Such applications typically use the following data in particular:

• Participant information, such as first and last name or email address
• Metadata, such as IP address or duration of the online session
• for chat, audio or video use: text data for display and, if necessary, logging as well as recording data from the microphone

In detail, we will inform you separately in advance of the applications we use and all associated information, such as the purpose of the processing, legal basis, deletion periods, recipients of the data or your right of revocation.

We would like to offer you relevant products and services that we consider suitable. To make this possible, we process your personal data that we have received from you (e.g. in the case of a specific request via the contact form), as well as data from other sources.

To the extent permitted by law, we may also use personal data in aggregated or anonymised form for statistical analyses, internal evaluations, as well as for the further development of our services and the fulfilment of the Bank's social tasks. A conclusion about individual persons is excluded here.

In order to be able to offer relevant products and services, we make use of our internal bank systems. Any relevant information we hold about you will be collected herein, including for direct marketing purposes. In order to be able to provide you with relevant offers, we apply customer selection processes.

To the extent that the use of your personal data for direct marketing purposes is not in the legitimate interests of the Bank, we will obtain your consent to do so. In any case, you have a right of objection or revocation, which we will point out to you separately. You also have the right to object to the creation of a personalized customer profile for direct marketing purposes.

You can find our privacy policy for online events here.

Where necessary, we also process personal data to ensure IT security, to prevent fraud / abuse and to comply with legal and regulatory obligations. This may also affect individuals who do not have a direct contractual relationship with us if this is necessary to process transactions or to comply with legal requirements.

Cookies are small packets of data that are stored on your hard drive using the browser. Cookies cannot run programs or transmit viruses to your computer.

We use cookies and similar technologies that are necessary for the website to function and for the safe and intended use of the website ("functional cookies"). With your consent, we also use "marketing and analytical cookies". These are used to analyse the use of our website and to personalise content and advertisements to adapt them to your needs and interests. By clicking on "accept" or "reject" in the cookie notice on the website, you determine the extent to which Bethmann HAL may use marketing or analytical cookies.

Please note: If you delete cookies or set your browser to refuse cookies, this may affect the functionality of the website. However, the mere setting that cookies are rejected does not mean that cookies accepted by you or your browser in the past will no longer work – in case of doubt, you must actively delete cookies.

Instructions on how to deactivate or delete cookies in whole or in part in the browser you are using, as well as further information on their use and functionality, can be found in the online help or operating instructions of your browser or device.

Cookie overview bethmann-hal.de:

Social network buttons are implemented on our website, which link to social networks such as XING, LinkedIn, Facebook, Instagram and Twitter. By clicking on one of the buttons, you will first be taken to a login page of the respective social network, if you are not yet logged in there at the time of the mouse click, or to our respective company page in the respective social network.

In the event that you are already logged in to the respective social network at the time of clicking on one of our social network buttons, the social network already has the opportunity to collect data about you when you click on the button and, in particular, can recognize which website you come from.

If you do not want a social network to collect data about you in the manner described above, you must in any case log out of the respective social network before clicking on one of our social network buttons; depending on the social network, however, the simple use of the recommend function may be limited or even excluded.

For further details on data protection for the social networks linked on our pages, we recommend that you regularly consult the current data protection declarations of the operators of the respective social networks:

30, 20354 Hamburg, Germany.

XING's privacy policy is available at:

https://www.xing.com/privacy

LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

The LinkedIn Privacy Notice is available at:

https://www.linkedin.com/legal/privacy-policy

Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The Data Policy is available at:

https://de-de.facebook.com/about/privacy/

Google, Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google's privacy policy is available at:

http://www.google.com/intl/de/policies/privacy/index.html

Twitter Inc. (X), 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

The X Privacy Policy is available at:

https://x.com/de/privacy

YouTube

The YouTube Privacy Policy is available at:

https://policies.google.com/privacy?hl=de

Use of Google Maps on our website

The Google Maps interface is integrated into our website to visually display geographical information about our group companies. When using Google Maps, Google also collects, processes and uses data about the use of the Maps functions by visitors to the website. You can find more information about data processing by Google in Google's privacy policy under https://www.google.com/intl/de/policies/privacy/index.html. Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001 https://www.google.com/intl/de_US/help/terms_maps.html.

We process your data that reaches us via the website either on the basis of legitimate interest within the meaning of Art. 6 (1) (f) GDPR or, if you have given explicit consent, on the basis of this consent and Art. 6 (1) (a) GDPR. If your contact is aimed at concluding a contract with us, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Within the Bank, access to your data is granted to those entities that need it to communicate with you (e.g. to process your contact requests), for the purpose of initiating a contract with you or to protect our interests in optimising our website, e.g. with regard to user-friendliness and the customer-oriented design of content. Processors used by us (Art. 28 GDPR) may also receive personal data for these purposes. These can be companies in the categories of banking services, IT services, logistics, printing services, telecommunications, consulting and consulting, as well as sales and marketing. We carefully select these companies. In a contract with them, we make clear agreements about how they handle your data. We remain responsible ourselves if we involve another company that acts on our behalf.

Within the ABN AMRO Group, personal data may be transferred within the Group – if necessary – for internal administrative purposes, to ensure uniform security, risk and compliance standards, and to fulfil legal obligations. In doing so, we ensure an appropriate level of protection through Group-wide data protection requirements (Binding Corporate Rules).

In order to ensure an adequate level of security, the ABN AMRO Group has adopted Binding Corporate Rules (BCRs) within the meaning of the EU General Data Protection Regulation, which ensure that personal data exchanged within the Group is protected. For more information on the ABN AMRO Group's Binding Corporate Rules, please visit the  ABN AMRO website.

If you are a customer of our company, we may also have to pass on your personal data to other recipients outside our company in some situations. With regard to the transfer of data to recipients outside the bank, it should first be noted that according to the general terms and conditions agreed between you and us, we are obliged to maintain secrecy about all customer-related facts and evaluations of which we become aware (banking secrecy). We may only pass on information about you if required by law, if you have consented or if we are authorized to provide a bank report. Under these conditions, recipients of personal data can be, for example:

• Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in the event of a legal or regulatory obligation.
• Other credit and financial services institutions or similar entities to which we transfer personal data in order to carry out the business relationship with you (depending on the contract: e.g. correspondent banks, custodian banks, stock exchanges, credit agencies). For example, if you transfer money to another bank, your data will of course also be sent to this bank. Otherwise, payment transactions would not be possible.

Other data recipients may be those entities for which you have given us your consent to the transfer of data or for which you have exempted us from banking secrecy in accordance with the agreement or consent.

We use services (e.g. Google Analytics 4) whose providers are partly located in third countries whose level of data protection may not correspond to that of the EU. To the extent that this is the case and the European Commission has not issued an adequacy decision for these countries, we take appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, for example, standard contractual clauses of the EU. Where this is not possible, we base the data transfer on exceptions to Art. 49 GDPR, in particular on your explicit consent or the necessity of the transfer for the performance of the contract.

If a transfer from a third country is provided for and there is no adequacy decision or no suitable safeguards, it is possible that authorities in the respective third country can gain access to the transferred data and that the enforceability of your rights as a data subject cannot be guaranteed.

Google Analytics 4 is a tool provided by Google LLC, a company based in the United States of America. It serves ABN AMRO Bank N.V. as the operator of the website "bethmannbank.de" and the associated My Portal apps for the analysis of your use. By collecting website and app data, your behavior can be tracked. Information that can be evaluated is, for example, the number of visitors to a website, which content is accessed most often, or the length of time each visitor spends on individual content. Other important information that ABN AMRO Bank N.V. may receive is demographic characteristics such as language and location or the browser used to access it. The aim is to use the collected data to obtain information about the use of the website and the apps in order to drive further development and optimisation of the content and functions. When using Google Analytics 4, various personal data of yours is therefore processed. This is done for the purpose of compiling extensive statistics and providing ABN AMRO Bank N.V. with information about the use of its website and apps. The data may be stored on Google servers in the United States of America. The United States of America is a third country that has a lower level of data protection than EU countries. You have the option of opting out of data collection.

In some cases, we process your personal data automatically with the aim of evaluating certain personal aspects (hereinafter referred to as "profiling"), in particular if a contract is to be concluded or has been concluded with you. For example, we use profiling in the following cases:

Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and crimes that endanger assets. Data evaluations (e.g. in payment transactions) are also carried out.

In order to be able to provide you with targeted information and advice about products, we use evaluation instruments. These enable needs-based communication and advertising, including market and opinion research.

As part of the assessment of your creditworthiness, we use scoring. This calculates the probability with which a customer will meet his payment obligations in accordance with the contract. For example, income circumstances, expenses, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit reference agencies can be included in the calculation. The scoring is based on a mathematical-statistically recognized and proven procedure. The calculated score values support us in making decisions in the context of product deals and are incorporated into ongoing risk management.

For the establishment and execution of the business relationship, we do not use any automated decision-making in accordance with Art. 22 GDPR that has legal effect on you or similarly significantly affects you. If we use these procedures in individual cases, we will inform you separately if this is required by law.

We process and store your personal data for as long as it is necessary to fulfil the respective purpose. We have described the storage period of cookies above. We have no influence on the storage period of data with third parties, unless there is a contractual relationship with them (e.g. in the area of social media) – here the storage periods result from the respective provisions of the providers.

To the extent necessary and legally permissible, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract. It should be noted that our business relationship is a continuing obligation that is designed for years.

If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless its – temporary – further processing or storage is necessary in particular for the following purposes:

• Fulfilment of retention and documentation obligations, which arise in particular from the German Commercial Code (HGB), the Tax Code (AO), the Banking Act (KWG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG).
• Preservation of evidence within the framework of the statutory statute of limitations, in particular according to §§ 195 et seq. of the German Civil Code (BGB).

We use artificial intelligence (AI), including generative AI systems, to make our internal processes and services more efficient and secure. AI-supported applications support our employees, for example, in analyzing information, processing inquiries or improving workflows.

It may be necessary for personal data to be processed in the context of the use of AI systems. This is done exclusively for clearly defined and permissible purposes, such as quality assurance, the optimisation of our services or the guarantee of IT and information security.

We use artificial intelligence responsibly and in a controlled manner. We ensure that the use of AI systems is always in line with the applicable legal requirements (in particular the GDPR) as well as with our internal guidelines and principles for the use of artificial intelligence.

Our AI applications are not used unsupervised. Usage is monitored to avoid misuse or misuse and to ensure that decisions with legal or significant effects on individuals are not exclusively automated.

Insofar as personal data is processed in the context of AI-supported applications, we are responsible for this under data protection law. The processing is carried out in particular on the basis of our legitimate interests, for example:

• to improve our internal processes and services,
• to protect our systems, property and data subjects,
• to comply with legal and regulatory requirements.

Personal data will only be processed to the extent and for the duration necessary for the respective purpose. After the purpose of processing has ceased to exist, the data will be deleted or anonymised, provided that there are no statutory retention obligations.

To protect your personal data, we use appropriate technical and organisational security measures, in particular:

• Access restrictions: Access to personal data is only granted to authorized persons with appropriate authorization.
• Encryption: Data is technically protected during transmission to prevent unauthorized access.
• Data protection controls: Compliance with data protection regulations is regularly reviewed.

Our employees are regularly trained in the responsible use of artificial intelligence. Additional information on the use of certain AI applications, including how they work, can be found in the corresponding usage and data protection notices.

Every data subject has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The right to information and the right to erasure are subject to the restrictions under §§ 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). We generally respond to inquiries from data subjects within one month. In justified cases, this period may be extended in accordance with the legal requirements, in which case we will inform you accordingly.

You can revoke your consent to the processing of personal data at any time.

Information about your right to object according to Art. 21 GDPR

Case-by-case right of objection:

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR, which we use for credit assessment or advertising purposes.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

The objection can be made in any form and should be addressed to:

ABN AMRO Bank N.V. Frankfurt Branch

Privacy Officer

P.O. Box 10 06 32

60006 Frankfurt am Main

Phone: +49 69 2177-0

E-mail: datenschutz@de.abnamro.com

Right to object to the processing of data for advertising purposes:

In individual cases, we process your personal data for the purpose of direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

In addition, you can tell us at any time that you do not wish to receive offers for our products and services.

The objection can be made in any form and should be addressed to:

ABN AMRO Bank N.V. Frankfurt Branch

Privacy Officer

P.O. Box 10 06 32

60006 Frankfurt am Main

Phone: +49 69 2177-0

E-mail: datenschutz@de.abnamro.com

Please contact us if you have any questions about this Privacy Notice. We are happy to help you. In addition to the data protection officer, our complaint management department is also available to assist you in this regard. In particular, if you do not agree with how we handle your data, you can file a complaint with the

ABN AMRO Bank N.V. Frankfurt BranchComplaint Management

P.O. Box 10 06 32

60006 Frankfurt am Main

.

You also have the right to lodge a complaint with the relevant data protection authority. For the bank, the Hessian Data Protection Commissioner, Wilhelmstraße 7 1, 65185 Wiesbaden, is the responsible data protection supervisory authority; For more information, see https://www.datenschutz.hessen.de

What to do if you receive a phishing email:

Do you suspect that you are dealing with a phishing email? Please follow our recommendations:

• Do not click on any files, links, or attachments in the email or text message
• Do not reply to the email or text message
• If you have clicked on an insecure link or an insecure file, notify us of the scam
• Forward the phishing email to: phishing@de.abnamro.com
• Instantly delete the fake email or text message

For more information, click here.

We are continuously working to improve our systems and processes and thus make online banking as secure and reliable as possible for you. If you should nevertheless notice a weak point, we would be very grateful if you would point it out to us. Because despite all care, mistakes can happen. If you notice or suspect a vulnerability in our IT systems, we ask you to inform us first and thus support us in finding a solution. With your help, we can constantly improve to prevent fraud or system failures. If you make these vulnerabilities in our IT systems public without first talking to us about them, this can have serious consequences. Criminals could use your information in this way, for example, for Internet fraud.

Reporting weak spots in IT systems - ABN AMRO

This privacy policy is regularly amended in order to adapt it to changes in the law and/or the processing of personal data by Bethmann HAL. You can see this by the revision date of this document listed below. We recommend that you review this Privacy Policy periodically.