Data protection information

The following data protection information provides an overview of how your data is collected and processed.


Via the following information, we would like to give you an overview of how we process your personal data and of the rights you have under data protection law. The exact data that is processed and how it is used will essentially depend on which services are requested and agreed.


1. Who is responsible for data processing and who should I contact about this? 


Contact details as follows: 

Grenke AG

Neuer Markt 2

D-76352 Baden-Baden

Phone: +49 (0)7221 5007-0

Fax: +49 (0)7221 5007-222


You can contact the data protection officer for our company at:

Grenke AG

FAO the data protection officer 

Neuer Markt 2

D-76352 Baden-Baden

Email address: datenschutzanti spam bot@grenkeanti spam  


2. What sources and data do we use?

We process personal data that we receive from our customers through our business relationship. We also – if required to provide our service – process the personal data that we are permitted to obtain from publicly accessible sources (e.g. lists of debtors, land register, the register of companies and associations, the press, the internet) or sent to us from our sales partners or other third parties (e.g. a commercial credit agency) with good authorised cause. 

The personal data of relevance is as follows: 


  • Personal details (name, address, date and place of birth and nationality)
  • Contact details (telephone number, email address)
  • Identification details (e.g. ID information)
  • Authentication data (e.g. specimen signature)
  • Order details (e.g. payment order)
  • Data collected to fulfil our contractual obligations (e.g. sales data from payment transactions)
  • Information about their financial situation (e.g. credit information, scoring/rating data, origin of assets)
  • Advertising and sales data (including advertising scores), documentation data (e.g. minutes of consultation) and other data similar to the categories listed above.


3. Why do we process your data (the purpose of the processing) and on what legal basis?


We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG): 


a. To fulfil contractual obligations (Article 6 (1 b) GDPR) 


Data is processed in order to provide financial services contracts to our customers or in order to take measures at the request of you prior entering into a contract. The purpose of the data processing will be geared in the first instance to the product itself (e.g. leasing and factoring) and may encompass needs assessment, consultation and the execution of transactions. For further details of the purposes for which data is processed, please refer to the relevant contract documents and terms and conditions. 


b. As part of balancing interests (Article 6 (1 f) GDPR)


If necessary, we will not only process your data for the actual fulfilment of the contract, but also to protect our own legitimate interests and those of third parties, especially


• consultation and data sharing with credit agencies (e.g. SCHUFA) to determine credit and default risks .


For the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide D-CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich with dataconcerning the request and the applicant. CRIF Bürgel GmbH will make the data saved about you available to us on the DSPortal (Deutsches Schutz Portal) provided that we have given convincing evidence that our interest in this is legitimate.Furthermore, we will send personal data collected for the request for, execution and ending of this business relationship, as well as data for behaviour not in compliance with the contract or for fraudulent behaviour to SCHUFA Holding AG, Kormoranweg 5, D-65201 Wiesbaden, and Boniversum GmbH, Hellersbergstraße 11, D-41460 Neuss.The legal basis for sending this data is Article 6 (1 b) and Article 6 (1 f) of the GDPR. Other legal bases for sending the information to CRIF Bürgel GmbH are Section 25h of the German Banking Act (KWG) and Article 6 (1 a) GDPR. Article 6 (1 f) GDPR may only be used as the basis for sending the data if this is necessary for protecting the legitimate interests of our bank or third parties, and do not prevail over the interests or basic rights and fundamental freedoms of the person affected who needs their personal data to be protected. Data sharing with credit agencies is also done to fulfil legal obligations in relation to conducting credit checks on customers (Section 505a and Section 506 of the German Civil Code, Section 18a KWG). In this respect, you also exempt us from banking confidentiality.The credit agencies will process the data received and also use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agencies, please refer to the information provided about the respective agency in the appendix (SCHUFA information sheet, Infoscore information sheet, Creditreform Boniversum information sheet, CRIFBÜRGEL information sheet), or click the following links:

  • For Schufa Holding AG, go to 
  • For Creditreform Boniversum GmbH, go to 
  • For Bürgel Wirtschaftsinformation GmbH & Co KG, go to  



  • Checking and optimising needs requirement procedures for the purposes of direct sales approaches
  • Advertising or market and opinion research, if you have not objected to your data being used
  • Assertion of legal claims and defence during legal disputes
  • Guaranteeing IT security and safeguarding IT operations at our company
  • Prevention and clarification of criminal acts
  • Video monitoring for maintaining domestic authority and for collecting evidence during attacks and fraud (cf. Section 4 BDSG)
  • Building and plant safety measures (e.g. access control)
  • Measures to guarantee domestic authority
  • Business management measures and measures to develop products and services


c. Based on your consent (Article 6 (1 a) GDPR) 


If you have given us your consent to process personal data for certain purposes (e.g. forwarding data within the Group, evaluating payment transaction data for marketing purposes), it will be lawful to do this processing based on the consent you have given. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent received before 25 May 2018, the date on which the GDPR comes into force. Withdrawal of the consent does not affect the legality of the data processed up until the withdrawal.


d. Based on statutory provisions (Article 6 (1 c) GDPR) or public interest (Article 6 (1 e) GDPR)


Furthermore, we are required to meet various legal requirements (i.e. the provisions of the German Banking Act, Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and  Federal Financial Supervisory Authority). Reasons for processing data includes to check the creditworthiness, to confirm identity and age, to prevent fraud and money laundering, to fulfil checking and notification requirements set by tax law, and to assess and manage risks.


4. Who will receive my data?

The offices at our companies who need access to your data so that we meet our contractual and legal requirements will receive access to your data. The service providers and agents that we use may also receive the data for these purposes, if they maintain banking confidentiality. These companies fall into the categories of credit-lending services, IT services, logistics, printing services, telecommunications, debt collection, advice and consultation, plus sales and marketing.Please bear in mind that we are required to keep all customer-related data and valuations that we know confidential (banking confidentiality) in the banking sector when we forward data to recipients outside of our company. We are only permitted to forward information about you if statutory provisions demand this, you have given your consent for this or if we are authorised to provide banking information. Potential recipients of personal data under these conditions include (for example):


  • Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities, law enforcement agencies) if there is a statutory or official obligation to do so. 
  • Other credit and financial service providers or similar institutions to whom we send personal data in order to maintain the business relationship with you (e.g. correspondent banks, credit agencies, depending on the contract). 
  • Other companies within our Group conducting a risk controlling process because of a statutory or official requirement to do so.


Examples of other data recipients include offices for which you have given your consent to the data being sent, and who you have exempted from banking confidentiality as agreed, or via your consent. 


5. Is data sent to a third country or to any international organisation?

Data will be sent to locations in states outside of the European Union ('third countries') if


  • it is necessary for carrying out your orders (e.g. payment orders),
  • it is legally required (e.g. notification is obligatory under tax laws) or 
  • you have given us your consent to do so. 


6. How are my data processed on the website?


Unless indicated otherwise, we only process your data on our website in the following way in order to process your request (Article 6 (1b) GDPR) or because of legitimate interests we have (Article 6 (1f) GDPR): 


a. Usage data


Any time you access a page or a file, generic data are saved automatically in a log file via this procedure. The data are saved for system-related and statistical purposes only, or as an indicator of criminal acts in certain exceptional cases.We use these data to improve our websites and to present you with content reflecting your interests on various website pages and on multiple end devices. No usage data are combined with personalised data as part of this process. If you decide to send us your data, these data will have optimum back-up during the input process. The same applies to data saved in our system. For security reasons, we will save your IP address. This can be retrieved if there is a legitimate interest for this.We do not create a browser history. Data are not forwarded to third parties or otherwise evaluated unless there is a legal obligation to do so.More specifically, the following data set is stored from every processing request:



  • The end device used
  • The name of the file accessed
  • The date and time of the request
  • The time zone
  • The amount of data transmitted
  • Notification of whether the request was successful
  • Description of the type of web browser used
  • The operating system used
  • The page visited before
  • The provider
  • The user’s IP address


b.Contact us/requests


If you contact us (e.g. using contact forms), we will save your data for the purposes of processing your request and also in case further correspondence is necessary. All data are deleted after your request has been processed. This does not include data for which there is a legal or other requirement to keep the data.


c. Registration


We only use the data given to us during registration so that it is possible to use our website.We collect the following data during the registration process:


  • Email address,
  • Username,
  • Password.


d. Newsletter


Subject to your consent (Article 6 (1a) GDPR), we would be happy to keep you informed of recent developments with our newsletter.For us to send you the newsletter, you have to enter your name and email address and also have the option to provide other information voluntarily. After you have sent your email address, we will send you an email to the email address you entered, in which you have to click a confirmation link to verify the email address you entered.We only store your data for the purpose of sending our newsletter. We also store your IP address and the date of your registration as proof of your registration for the newsletter in cases of doubt.You can unsubscribe from the newsletter at any time by clicking on the ‘Unsubscribe’ link at the bottom of the newsletter. 


e. Use of cookies


To make visiting our websites an appealing experience and to make it possible to use certain features, we use cookies on different pages. Cookies are small text files that are stored on your end device. Some of the cookies that we use are deleted again at the end of the browser session, i.e. after you close your browser (session cookies). Other cookies remain on your end device and enable us or our partner companies to recognise your browser again the next time you visit (persistent cookies).Cookies do not make it possible to access other files on your computer, or discover your email address.Most browsers have settings that mean they accept cookies automatically. If the standard settings are saved for cookies in your browser, all processes will run unnoticed for you in the background. You can change these settings, however.You can adjust your browser so that you are informed when cookies are set and can make individual decisions about accepting them, or generally rule out cookies in certain cases.If you restrict cookies, some individual features of our website may be restricted too.


f. Range analysis using Piwik


We have a legitimate interest (i.e. an interest in the analysis, optimisation and cost-effective operation of our website within the meaning of Article 6 (1f) GDPR) in the use of Piwik, software designed to statistically evaluate user access. Your IP address is shortened before it is saved. Piwik uses cookies that are saved on the users' computers and make it possible to analyse use of this online service by the users. Pseudonymous use profiles may be created for the users during this. The information generated by the cookie about your use of this online service is stored on our server and not forwarded to third parties. You can opt out of this data processing as follows:


g. Embedded YouTube videos


In line with our legitimate interests, we embed YouTube videos on our website; these videos are stored on and can be viewed directly on our website. If you visit the website, YouTube is notified that you have opened the relevant page of our website. Additionally, the data described in section 6 a) are transmitted. This happens regardless of whether or not you have a YouTube account that you have logged into. If you are logged into Google, you data will be attributed to your account directly. If you do not want the data to be associated with your YouTube profile, you must log out before you click on the button. YouTube stores your data as a user profile and uses them for the purposes of marketing, market research and/or customising its website. In particular, your data are evaluated this way (even if you are not logged in) in order to provide personalised advertising and notify other users of the social network of your activity on our website. You are entitled to object to the creation of these user profiles; you must contact YouTube if you wish to exercise this right.

See the privacy policy for more information on the scope and purpose of data collection and processing by YouTube. The privacy policy also contains more information on your right to revoke consent and how to configure your browser in order to protect your privacy: 

Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield.


7. How long is my data saved?


We process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations. Please note that our business relationship is a continuing obligation that is set up for years.If the data is no longer required to fulfil contractual or legal obligations, it will be deleted periodically unless temporary further processing is required for the following purposes:

  • Fulfilment of a duty to preserve the data under commercial and tax laws, i.e. the German Commercial Code (HGB), the General Fiscal Code (AO), the German Banking Act (KWG), the Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). These laws require data to be kept/documented for between two and ten years.
  • Retaining evidence in accordance with the statutory periods of limitation that apply. Pursuant to §§ 195ff of the German Civil Code (BGB), these statutes of limitation can be up to 30 years in duration, although routinely the period tends to be three years. 

8. What data protection rights do I have?

Each individual we deal with has a right 

  • of access in accordance with Article 15 GDPR, 
  • of rectification in accordance with Article 16 GDPR, 
  • of erasure in accordance with Article 17 GDPR, 
  • to set restrictions of processing in accordance with Article 18 GDPR, 
  • to object in accordance with Article 21 GDPR, 
  • and the right to data portability in accordance with Article 20 GDPR. 

The restrictions set out in §§ 34 and 35 BDSG apply to the right of access and the right to erase personal data. Each individual also has a right to complain to the data protection supervisory authority responsible (under Article 77 GDPR in connection with § 19 BDSG).You may withdraw your consent to your personal data being processed by us at any time. This also applies to the withdrawal of declarations of consent received before 25 May 2018, the date on which the GDPR comes into force. Please note that this withdrawal will apply going forward. It will not apply to any data processed before the withdrawal.

9. Do I have to provide data?

You need to provide us with the personal data necessary for us to enter into and maintain a business relationship and to fulfil the requisite contractual obligations associated with this, or when law requires us to collect it. Without this data, we will usually not be able to enter into a contract with you or to execute this contract.
More specifically, money laundering requirements require us to verify your ID document before we enter into a business relationship with you, and to find out and record your name, place and date of birth, nationality, address and ID data when doing so. To ensure that we can meet this obligation, you have to provide us with the necessary information and documents according to Money Laundering Act and notify us immediately of any changes occurring during our business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship.

10. To what extent will decision-making be automated?

To establish and maintain the business relationship, we do not use fully automated decision-making in accordance with Article 22 GDPR. If we use this procedure in individual cases, we will provide you with separate information about this, if required by law.

11. Do you do profiling? 

We automate the processing of your data in some cases with the purpose to evaluate certain aspects of you personally (profiling). We use profiling in the following cases (for example):

  • Due to legal and regulatory requirements, we are duty-bound to fight money laundering, the funding of terrorism and criminal acts putting our assets at risk. Data evaluation (including during payment transactions) is also carried out. These measures have also been put in place to protect you. 
  • We use evaluation tools to provide you with targeted information and advice about products. These make it possible to communicate and advertise (including market and opinion research) in a way that meets your needs. 
  • We use scoring when we are assessing your creditworthiness. This process calculates the probability of a customer meeting their payment obligations in accordance with the contract. This calculation will factor in earning capacity, outgoings, existing liabilities, employment, employer, length of service, experience from previous business relationships, repayment of previous loans as contractual agreed-upon, as well as information from credit agencies, for instance. Scoring is based on an accredited mathematical statistical procedure that has been tried and tested. The score values calculated help us to make decisions on product sales and are factored into routine risk management procedures. 




Information about your opt-out right under Article 21 GDPR


1. Right to opt out in individual cases


You have the right, at any time, to opt out of any processing of your personal data taking place based on Article 6 (1 e) GDPR (data processing in the public interest) and Article 6 (1 f) GDPR (data processing to balance interests), for reasons relating to your own particular situation; this also applies to in the meaning of Article 4 number 4 GDPR. 

If you opt out, we will not process your personal data anymore, unless we are able to prove that there are legitimate compelling reasons for the processing that prevail over your interests, rights and freedoms, or the purpose of the processing is to assert, exercise or defend legal claims. 


2. Right to opt out from data processing direct advertising purposes 


In individual cases, we will process your personal data for direct advertising purposes. You have the right to opt out of having your personal data processed for such advertising purposes at any time; this also applies to profiling if this is connected to this kind of direct advertising. 

If you opt out of having your data processed for direct advertising purposes, we will no longer process your personal data for these purposes.

Opting out can take any form but should be sent to the following address wherever possible: 



Grenke AG

FAO the data protection officer

Neuer Markt 2

D-76352 Baden-Baden

Email address: