Data Protection Notice

We are very pleased with your interest in our company MGW Gesellschaft für Geld- und Wertpapiervermittlung mbH München. Data protection is especially important to us. It is basically possible to use the websites of MGW mbH without providing any personal data. However, the processing of personal data may be necessary if a data subject wishes to use particular services of our company by way of our website. If the processing of personal data is necessary and there is no legal basis for such processing, we generally ask for the data subject’s consent. The processing of personal data such as the name, address, e-mail address or telephone number of a data subject is always done in compliance with the General Data Protection Regulation and the country-specific data protection regulations applicable to MGW mbH. In this data protection notice, we wish to inform the public about the nature, scope and purpose of the personal data collected, used and processed by our company. This data protection notice also serves to inform data subjects of their rights. As the data controller, MGW mbH has implemented numerous technical and organizational measures to ensure the fullest possible protection of the personal data processed by way of this website. Nonetheless, web-based data transfers are fundamentally vulnerable to security flaws, so that absolute protection cannot be guaranteed. For this reason, every data subject is at liberty to transmit personal data to us by alternative means such as by telephone, for example.

1. Definitions
The data protection notice of MGW mbH is based on the terms that were used by the European regulator in the issuance of the General Data Protection Regulation (GDPR) and are defined there in Art. 4 GDPR. We use the following terms, among others, in this data protection notice:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
b) Data subject
A data subject is the identified or identifiable persons whose personal data are processed by the controller.
c) Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
f) Pseudonymization
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
g) Controller or person responsible for processing
Controller or person responsible for processing means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
i) Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are be regarded as recipients.
j) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
k) Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union and other provisions in the nature of data protection law is:
MGW Gesellschaft für Geld- und Wertpapiervermittlung mbH München

Raiffeisenallee 16
82041 Oberhaching
Tel.: +49 (0) 89 672 08 100
Fax: +49 (0) 89 672 08 300
Internet: www.mgw-muenchen.de
E-mail: info@mgw-muenchen.de

Data Protection Officer: Carla Ritz
E-mail: datenschutz@mgw-muenchen.de

3. Collection of general data and information (server log files)
The website of MGW mbH anonymously collects a set of general data and information upon every retrieval of the website by a data subject or automated system. These general data and information are temporarily collected without the assistance of the data subject and separately stored in the server’s log files until automatic erasure. The following data and information may be collected:
a) Browser types and versions used,
b) The operating system used by the accessing system,
c) The website from which an accessing system proceeds to our website (so-called referrer URL),
d) Date and time of access of the website,
e) An Internet protocol address (IP address),
f) The Internet service provider of the accessing system.

These data are not commingled with other data sources.

This information is needed (1) to correctly deliver the contents of our website, (2) to ensure the lasting functionality of our information technology systems and technology of our websites, and (3) to provide the information necessary for criminal prosecution to the law enforcement agencies in the event of a cyber-attack. These anonymously collected data and information are not evaluated by MGW mbH.

4. Contact possibility via the website
In accordance with statutory regulations, the website of MGW mbH contains information that allows users to quickly contact our company electronically and communicate with us directly, which also includes a general electronic mail address (e-mail address). If a data subject contacts the controller by means of e-mail or contact form, the personal data transmitted by the data subject are stored automatically. Such personal data transmitted voluntarily by a data subject to the controller are stored for purposes of processing or contacting the data subject. These data are not transferred to third parties.

5. Transfers of data
Personal data are not transferred to third parties for any purposes other than those set out below. We only transfer personal data to third parties when:
  • Express consent has been granted to us in accordance with Art. 6 (1) letter (a) GDPR,
  • This is legally permissible and necessary for the performance of contracts with data subjects in accordance with Art. 6 (1) letter (b) GDPR.
  • If necessary for compliance with a legal obligation in accordance with Art. 6 (1) letter (c) GDPR,
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person in accordance with Art. 6 (1) letter (d) GDPR, and
  • Processing is necessary for the establishment, exercise or defense of legal claims and when there is no reason to assume that this interest is not overridden by the interest of the data subject in non-disclosure of the data, in accordance with Art. 6 (1) letter (f) GDPR.
6. Routine erasure and blocking of personal data
The controller processes and stores the personal data of the data subject only for the period of time required to fulfill the storage purpose or if prescribed by the European regulator or other lawmaker in laws or regulations to which the controller is subject. If the storage purpose is no longer applicable or if a storage period prescribed by the European regulator or other competent lawmaker expires, the personal data are blocked or erased routinely and in accordance with the statutory regulations.

7. Rights of the data subject
a) Right of access according to Art. 15 GDPR
Every data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If that is the case, the data subject may obtain free access to his or her stored personal data and a copy of this access. In addition, the European regulator has granted the data subject access to the following information:
  • The purposes of the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to obtain from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject by the controller, or to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • Where the personal data are not collected from the data subject, any available information as to their source;
  • The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject also has a right to be informed as to whether personal data have been transferred to a third country or international organization. If this is the case, the data subject also has the right to be informed of the appropriate safeguards related to the transfer. If a data subject wishes to exercise this right of access, he or she may contact the controller at any time.

b) Right to rectification according to Art. 16 GDPR
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement. If a data subject wishes to exercise this right to rectification, he or she may contact the controller at any time.

c) Right to erasure (“right to be forgotten”) according to Art. 17 GDPR
Every data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and insofar as the processing is not necessary:
  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • The data subject withdraws consent on which the processing is based according to Article 6 (1) letter (a) GDPR or Article 9 (2) letter (a) GDPR, and where there is no other legal ground for the processing;
  • The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR;
  • The personal data have been unlawfully processed;
  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
If one of the foregoing grounds applies and the data subject wishes to obtain the erasure of personal data stored with MGW mbH, he or she may contact an employee of the controller at any time. The employee of MGW mbH will then see to it that the erasure request is fulfilled without undue delay.

Where MGW mbH has made the personal data public and our company as the controller is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, MGW mbH, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the published personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data insofar as the processing is not necessary. The employee of MGW mbH will see to it that the necessary steps are taken in every case.

d) Right to restriction of processing according to Art. 18 GDPR Every data subject has the right to obtain from the controller restriction of processing where one of the following applies:
  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • The data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the foregoing conditions is met and a data subject wishes to obtain restriction of processing of personal data stored by MGW mbH, he or she may contact an employee of the controller at any time. The employee of MGW mbH will see to it that processing is restricted.

e) Right to data portability according to Art. 20 GDPR
Every data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Article 6 (1) GDPR letter (a) or Article 9 (2) letter (a) GDPR or on a contract pursuant to Article 6 (1) GDPR letter (b), and the processing is carried out by automated means, provided that processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that the rights and freedoms of others are not adversely affected. The data subject may contact an employee of MGW mbH to exercise his or her right to data portability.

f) Right to object according to Art. 21 GDPR
Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) GDPR letter (e) or (f), including profiling based on those provisions. After receiving such an objection, MGW mbH will no longer process the personal data unless MGW mbH can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims. The data subject may contact any employee of MGW mbH at any time to exercise the right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may also exercise his or her right to object by automated means using technical specifications.

g) Automated individual decision making, including profiling, according to Art. 22 GDPR
Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent. If the decision is (1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or (2) is based on the data subject’s explicit consent, MGW mbH will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. The data subject may exercise the rights related to automated decision making at any time by contacting an employee of the controller.

h) Right to revoke a consent under data protection law according to Art. 17 (1) letter (b) in conjunction with Art. 21 GDPR
Every data subject has the right at any time to revoke a consent to the processing of personal data. If the data subject wishes to exercise his or her right to revoke a consent, he or she may contact an employee of the controller at any time.

i) Right to lodge a complaint with a supervisory authority according to Art. 77 GDPR
Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. In the Federal Republic of Germany, the competent supervisory authority according to Sections 8 ff. of the German Federal Data Protection Act (BDSG) is the Federal Commission for Data Protection as the highest federal authority, who can be reached as follows: The Federal Commissioner for Data Protection and Freedom of Information, Husarenstr. 30, 53117 Bonn, telephone 0228 – 997799-0, fax 0228 – 997799-5550, e-mail: poststelle@bfdi.bund.de, Internet: www.bfdi.bund.de.

8. Data protection in the context of job applications and job application procedures
The controller collects and processes the personal data of job applicants for the purpose of conducting the job application procedure. The processing may also be done by electronic means, particularly when a job applicant transmits suitable job application documents to the controller by electronic means such as by e-mail or by using a web form on the website. If the controller enters into an employment contract with the job applicant, the transmitted data will be stored for the purpose of performing the employment contract with due regard to the statutory regulations. If no employment contract is entered into by the controller with the job applicant, the job application documents will be automatically erased two months after notification of the rejection decision, provided that the job applicant’s right to erasure is not overridden by other legitimate interests of the controller. In this context, another legitimate interest is the obligation to provide evidence in a proceeding under the German General Equal Treatment Act (AGG).

9. Use of web fonts
External fonts, Google Fonts, are used on these web pages. Google Fonts is a service of Google Inc. (“Google”). These web fonts are integrated by means of a server call, usually from a server of Google in the United States. As a result, information about the websites you have visited is transmitted to the server. In addition, the IP address of the browser of the terminal device of the visitors to these websites are stored by Google. You can find more detailed information in Google’s data protection notices, which you can find here: www.google.com/fonts#AboutPlace:about
www.google.com/policies/privacy/

10. Deployment and use of social media and social networks (social media plug-ins)
Social media and social networks such as Facebook, Twitter, etc., are not used.

11. Other information
MGW mbH does not collect and process personal data for the purpose of direct advertising.
MGW mbH does not conduct profiling and makes no automated decisions.
MGW mbH does not collect and process personal data for scientific or historical research purposes or statistical purposes.
MGW mbH uses no cookies and no analytical tools (e.g. tracking tools, Google Analytics, etc.) in the website.

12. Legal basis for processing
Art. 6 (1) GDPR letter (a) serves as the legal basis for processing operations by MGW mbH when we obtain consent for a certain processing purpose. If the processing of personal data is necessary to perform a contract to which the data subject is party, as in the case of processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 (1) letter (b) GDPR. The same applies for processing operations that are necessary for the performance of pre-contractual measures, as in the case of inquiries concerning our products or services. If our company is subject to a legal obligation by which the processing of personal data is required, as in the case of fulfilling tax obligations or obligations under the German Securities Trading Act (WpHG), the German Banking Act (KWG) or the German Money Laundering Act (GwG), the processing is based on Art. 6 (1) letter (c) GDPR. In rare cases, the processing of personal data may be necessary in order to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor would be injured in our place of business, making it necessary to disclose the visitor’s name, age, health insurance information or other vital information to a physician, hospital or other third parties. In that case, the processing would be based on Art. 6 (1) letter (d) GDPR. Finally, processing operations could be based on Art. 6 (1) letter (f) GDPR. Processing operations that are not based on any of the aforementioned legal bases are based on this legal basis when the processing is necessary for the purposes of a legitimate interest of our company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are particularly permitted to conduct such processing operations because they were specifically mentioned by the European lawmaker, who represented the view that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 sentence 2 GDPR).

13. Legitimate interests pursued by the controller or a third party
If the processing of personal data is based on Art. 6 (1) letter (f) GDPR, our legitimate interest is the proper conduct of our business to the benefit of all our employees and shareholders.

14. Duration of storage of personal data
The criterion for the duration of storage of personal data is the applicable statutory retention period. After the lapse of this period, the corresponding data are routinely erased if they are no longer needed for the performance or initiation of a contract.

15. Statutory or contractual obligations to provide personal data; necessity for entering into a contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is required by law in part (e.g. order placement, tax regulations, regulations of banking law and financial services law) or may be required by contractual provisions (e.g. information about the party to the contract). In some cases, it may be necessary for entering into a contract that a data subject provides personal data to us which must then be processed by us. For example, the data subject is obligated to provide personal data to us if our company enters into a contract with the data subject or the company represented by the data subject. The non-provision of personal data would entail the consequence that the contract with the data subject could not be entered into. Before providing personal data, the data subject must contact one of our employees. Our employee will instruct the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for entering into the contract, whether there is an obligation to provide personal data, and the consequences of not providing the personal data.