Data Protection Statement

This Data Protection Statement provides you with information about the way that personal data (hereinafter shortened to “data”) is processed on the web pages comprising our web presence, the extent to which such data is processed and the purpose of such processing. It also provides you with information about data processing on the websites, functions and content associated with our web presence, as well as our external online presence, e.g. our social media profiles (hereinafter collectively referred to as our “web presence”). For the meanings of terms used such as “processing” and “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).



Norddeutsche Landesbank – Girozentrale –
Deutsche Hypo – NORD/LB Real Estate Finance

Friedrichswall 10 | D-30159 Hannover
Telefon +49 511 361-0


You can contact our data protection officer:

Norddeutsche Landesbank – Girozentrale –
Torsten Lipsch
Friedrichswall 10
30159 Hannover

Phone: +49 (0) 511 361-2808
Fax: +49 (0) 511 361-982808


Types of data processed:

– Inventory data (e.g. names, addresses)
– Contact data (e.g. email, telephone numbers)
– Content data (e.g. text entries)
– Usage data (e.g. websites visited, content interests, times of access)
– Metadata and/or communication data (e.g. device information, IP addresses)


Categories of data subject

Visitors and users of our website (in the following collectively referred to as “users”).


Purpose of processing

– To provide our web presence, its functions and content
– To respond to contact enquiries and communicate with users
– For security measures
– Marketing


Terms used

“Personal data” is any information that relates to any identified or identifiable natural individual (in the following referred to as the “data subject”). A natural person is considered to be identifiable if they can be identified, directly or indirectly, in particular by matching them to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or any set of operations performed – whether or not by automated means – on personal data. This is a broad term and encompasses practically any use of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organisational measures that ensure the personal data is not attributed to an identified or identifiable natural person.

“Profiling” means any form of the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, institution or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, institution or other body that processes personal data on behalf of the controller.


Relevant legal basis

Article 13 GDPR requires us to inform you of the legal basis of our data processing. If the legal basis is not named in the Data Protection Statement, the following applies: the legal basis for obtaining consent is formed by Article 6 (1)(a) and Article 7 GDPR; the legal basis for processing data in order to perform our services, carry out contractual activities and to answer enquiries is formed by Article 6 (1)(b) GDPR; the legal basis for processing data in order to meet our legal obligations is formed by Article 6 (1)(c) GDPR; and the legal basis for processing data to maintain our legitimate interests is formed by Article 6 (1)(f) GDPR. In the event that the vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR serves as the legal basis.


Security measures

Taking into account the achieved state of technical knowledge, the implementation costs and the kind, scope, circumstances and purposes of processing, as well as the different likelihoods of occurrence and severity of risk to the rights and freedoms of natural persons, we implement the appropriate technical and organisational measures to ensure a level of protection that is adequate to the risk in accordance with Article 32 GDPR.

In particular, these measures include ensuring the confidentiality, integrity and availability of data by monitoring physical access to the facilities where data is stored, as well as data access, the entry and forwarding of data, the assurance of data availability and the separation of data. Moreover, we have established processes to ensure that the rights of the data subject are upheld, that data is erased and that we respond to data risks. Moreover, we take into account the protection of personal data as early as during development, e.g. when selecting our hardware, software and processes, in line with the principle of data protection by design and by default (Article 25 GDPR).


Collaborations with processors and third parties

If we disclose or transmit data or otherwise provide data access to any other persons or companies (processors or third parties) within the scope of our processing activities, this only takes place on the basis of a legal permission (e.g. when data is transmitted to a third party such as a payment provider in order to perform a contract as set out in Article 6 (1)(b) GDPR), if you have provided consent, if it is stipulated by a legal obligation or on the basis of our legitimate interest (e.g. when using contractors, web-hosts, etc.).

If we commission third parties with data processing on the basis of what is referred to as a “data processing agreement”, we do so on the basis of Article 28 GDPR.


Transmitting data to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if data is processed during the utilisation of third-party services or during the disclosure or transmission of data to third parties, this only takes place if it is necessary in order for us to perform our (pre-)contractual duties, on the basis of your consent, as the result of a legal obligation or in our legitimate interests. Subject to legal or contractual permissions, we only process data or let it be processed in a third country if the conditions defined in Article 44 ff. GDPR have been met. This means that processing takes place, for example, on the basis of special guarantees, such as the officially recognised confirmation of a suitable level of data protection comparable to that of the EU (e.g. in the US, through the Privacy Shield) or by observing special, officially recognised contractual obligations (referred to as “standard contractual clauses”).


Rights of data subjects

Article 15 GDPR gives you the right to request confirmation about whether personal data is being processed and information about this data as well as other information and a copy of the data.

Article 16 GDPR gives you the right to request that your personal data be completed or that incorrect data that concerns you be rectified.

Pursuant to Article 17 GDPR, you have the right to request that personal data is immediately erased or, alternatively, pursuant to Article 18 GDPR, the right to request that the processing of data be restricted.

Article 20 GDPR gives you the right to request that personal data that you have submitted to us be sent to you and transmitted to other controllers.

Moreover, Article 77 GDPR gives you the right to file a complaint with the relevant supervisory authority.


Right to withdraw consent

Article 7 (3) GDPR gives you the right to withdraw any consent that you have granted with future effect.


Right to object

You can object to the future processing of your personal data at any time pursuant to Article 21 GDPR. In particular, you may object to your data being processed for the purpose of direct marketing.


Cookies and the right to opt out of direct marketing

“Cookies” are small files that are stored on the user’s computer. Cookies can be used to store a range of different information. The main purpose of a cookie is to store information about the user (or about the device that the cookie is stored on) during or after the user has visited a website. “Session cookies” or “transient cookies” are cookies that are erased once a user leaves a website and closes his or her browser. Such cookies can be used to store, e.g., the content of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are cookies that remain stored on the user’s device even after he or she has closed the browser. This allows, for example, for the user’s login status to be stored when the user visits the website several days later. A cookie like this can also be used to save information about the user’s interests, which are used to measure reach or for marketing purposes. “Third-party cookies” are cookies that are supplied by providers other than the controller operating the website (otherwise, if the cookies only belong to the controller, they are referred to as “first-party cookies”).

We may use session or persistent cookies, and we notify users of the use of these cookies in our Data Protection Statement.

If users do not want cookies to be stored on their computers, they are asked to deactivate the relevant option in their browser’s settings. Cookies that have been stored can be erased in users’ browser’s settings. Prohibiting the use of cookies can adversely impact the functioning of this website.

Users can decide to opt out of the general use of cookies for the purposes of online marketing for a number of services, especially for tracking, through the US website or the EU website Moreover, the user can deactivate cookies by turning them off in his or her browser settings. Please note that you then might not be able to use all of the functions of this website.


Erasing data

The data that we process is erased or its processing is restricted as required by Articles 17 and 18 GDPR. Unless otherwise expressly stated in this Data Protection Statement, the data we store is erased as soon as it is no longer required for the purpose for which it was collected, provided the erasure does not contradict any legal obligations. If data is not erased because it is required for other, legally permitted purposes, its processing is restricted. This means that the data is blocked and not used for any other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

In particular, under German law, data must be retained for ten years pursuant to section 147 (1) of the German Fiscal Code (Abgabenordnung – AO) and section 257 (1) no. 1 and section 257 (4) of the German Commercial Code (Handelsgesetzbuch – HGB; books, recordings, management reports, accounting records, account books, for the taxation of relevant documents, etc.); and six years pursuant to sections 257 (1) nos. 2 and 3, and section 257 (4) HGB (business letters).


Administration, financial accounting, organisation, contact management

We process data to carry out administrative tasks, to organise our operations, to perform financial accounting and in order to meet legal obligations such as archiving obligations. To do so, we process the same data that we process in order to provide our contractual services. The legal basis for this processing is formed by Article 6 (1)(c) and 6 (1)(f) GDPR. This processing affects customers, interested parties, business partners and visitors to our website. The purpose and our interest in processing is to carry out administration, financial accounting and organisation, and to archive data, that is, to perform activities in order to maintain our business activities, carry out our tasks and provide our services. The data erased relating to contractual services and contractual communication is the same data as the information named for these processing activities.

We disclose and transmit such data to financial management, to consultants such as tax advisers and auditors, and to other billing centres and payment providers.

Moreover, we store information on the basis of our business interests about suppliers, event organisers and other business partners, e.g. in order to contact them at a later date. We generally store this data, for the most part related to companies, indefinitely.


Business analyses and market research

In order to operate our business efficiently and to identify market trends and the preferences of contractual partners and users, we analyse the data that we have available relating to business processes, contracts, enquiries, etc. To do so, we process inventory data, communication data, contract data, payment data, usage data and metadata on the basis of Article 6 (1)(f) GDPR. The data subjects here include contract partners, interested parties, customers, and visitors and users of our website.

These analyses are carried out for the purpose of performing business analyses, marketing and market research. We may take into account the profiles of registered users with information about factors such as the services that they have used. These analyses help us to increase user-friendliness and to optimise our website and business efficiency. The analyses serve us alone and are not disclosed to external parties unless they are anonymous analyses with summarised figures.

If the analyses or profiles relate to natural persons, they are erased or anonymised with the user’s termination or otherwise two years after the contract expires. Overall business analyses and determinations of general trends are prepared anonymously where possible.


Making contact

When the user contacts us (e.g. using the contact form or by email, telephone or social media), his or her information is processed in order to respond to the contact enquiry and manage it pursuant to Article 6 (1)(b) (within the scope of a (pre-)contractual relationship) and Article 6 (1)(f) (all other enquiries) GDPR. The user’s information may be stored in a customer relationship management system (“CRM system”) or in a comparable enquiry organisation system.

We delete the enquiries once they are no longer required. We review whether or not they are required every two years; moreover, legal archiving obligations apply.


Hosting and sending emails

The hosting services that we use are for the purpose of providing the following services: infrastructure and platform services, computing capacity, memory and database services, sending emails, security services and technical maintenance services that we use for the purpose of operating this website.

We and/or our hosting provider process inventory data, contact data, content data, contract data, usage data, and the metadata and communication data of customers, interested parties and visitors of this website on the basis of our legitimate interest in providing this website efficiently and securely pursuant to Article 6(1)(f) GDPR in connection with Article 28 GDPR (concluding data processing agreements).


Collecting access data and log files

As defined in Article 6 (1)(f) GDPR, we and/or our hosting provider collect data about every time somebody accesses the server that hosts this service (server log files) on the basis of our legitimate interest. This access data includes the name of the web page visited; the file accessed; the date and time of the viewing; the volume of data transmitted; notification that the visit was successful; and information about the browser type and version, the user’s operating system, the referrer URL (the last visited page), the IP address and the provider that sent the request.


Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC (“Google”), on the basis of our legitimate interest (i.e. our interest in analysing, optimising and efficiently operating our web presence as defined in Article 6 (1)(f) GDPR). Google uses cookies. The information generated by the cookie about the way the user uses the website and other elements of our web presence is generally sent to a Google server in the US where it is stored.

Google holds a Privacy Shield certification and therefore guarantees that it will uphold European data protection laws (

Google will use this information on our behalf to analyse the way that users use our web presence. Moreover, Google compiles reports about the activities on the web pages that comprise our web presence and provides us with other services relating to the use of such web pages and the internet. The data processed can be used to generate pseudonymised usage profiles.

We only use Google Analytics with IP anonymisation activated. This means that users’ IP addresses are shortened by Google within member states of the European Union and in other signatory states to the European Economic Area Agreement. The full IP address will only be sent to a Google server in the US and shortened there in exceptional cases.

Google will not combine the IP address transmitted by the user’s browser with any other data in Google’s possession. Users can prevent cookies from being stored by configuring the appropriate settings in their browser software. Users can also prevent Google from using cookies to collect data that relates to their use of the web pages that comprise our web presence and also prevent Google from processing this data by downloading and installing the browser plugin available through the following link:

You will find more information about the way that Google uses data as well as your settings and opt-out options in Google’s Data Privacy Statement ( and in the settings for Google’s use of online advertising (

The user’s personal data is either erased or anonymised after 14 months.

Jetpack (WordPress Stats)

On the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operating of our website in the sense of Article 6 (1)(f) GDPR), we use the Jetpack plugin (here the sub-function u201eWordpress Statsu201c), which incorporates a tool that statistically analyses visitor access, provided by Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, US. Jetpack uses what is referred to as “Cookies”, text files that are stored on your computer that make it possible to analyse how you use the website.

The information the cookie generates about your use of this website is stored on a server in the US. The processed data can be used to generate usage profiles of users, although these profiles are only used for the purpose of analysis and not for advertising. You will find more information in Automattic’s Privacy Policy: as well as information about Jetpack cookies on the Jetpack website:


Web presence in social media

We have profiles on social networks and platforms in order to communicate with active customers, interested parties and users, and to inform them of our services.

Please note that user data may be processed outside of the European Union. This can entail risks for users, as it can make it harder for them to assert their user rights. Please note that US providers with Privacy Shield certification have committed to complying with EU data protection standards.

Moreover, user data is generally processed for market research and advertising purposes. For example, user behaviour and the user’s interests revealed by this behaviour can be used to generate usage profiles of the user. In turn, usage profiles can be used, for example, to place advertising on and outside of the platforms that are meant to match the user’s interests. For these purposes, cookies with information about users’ usage behaviour and interests are generally stored on users’ computers. Moreover, data can be stored in the usage profiles regardless of which device users utilise (especially if users are members of the platforms in question and they are logged in).

The processing of the personal data of such users takes place on the basis of our legitimate interest in providing effective information to users and communicating with them pursuant to Article 6 (1)(f) GDPR. If the user is asked by the provider in question to grant their consent for data processing (i.e. to declare their consent e.g. by ticking a box or clicking a button), the legal basis for the processing is formed by Article 6 (1)(a) and Article 7 GDPR.

For a detailed description of the different kinds of processing and opt-out options, please see the provider information linked in the following.

When requesting information and asserting user rights, please note that it is most effective to assert these rights against the providers themselves. Only providers have access to user data and can directly take the appropriate measures and provide information. If you still need help, you can contact us.

– Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Privacy Policy:, opt-out:, Privacy Shield:

– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Policy, opt-out:, Privacy Shield:

– Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) – Privacy Policy/opt-out:


Embedding of third-party services and content

We use content and service offers from third-party providers on the web pages that comprise our web presence, such as videos and fonts (hereinafter referred to as “content”), on the basis of our legitimate interest (i.e. our interest in analysing, optimising and efficiently operating our website in the sense of Article 6 (1)(f) GDPR).

The prerequisite for this is that the third-party provider of this content sees the IP address of the user, as the provider cannot send content to the user’s browser without his or her IP address. The user’s IP address is therefore required to display this content. We take care to only use content where the provider only needs the IP address to provide the content. Third-party providers can also use “pixel tags” (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyse information such as visitor traffic on the web pages that comprise our web presence. Moreover, pseudonymous information may be stored on the user’s device in cookies and may contain information such as technical information about the user‘s browser and operating system, referring sites, the time of the visit and other information about the use of the web pages that comprise our web presence, or be linked to such information from other sources.


Google Fonts

We use the fonts (“Google Fonts”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US. Privacy Policy:, opt-out:



Some functions and content of the Xing service, provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, may be used on the web pages that comprise our web presence. This may include content such as images, videos or texts and buttons that users can use to share the content of our web presence on Xing. If the user is a member of the Xing platform, Xing can attribute the user’s access to the content and functions named above to the user’s Xing profile. Xing Privacy Policy:



Some functions and content of the LinkedIn service, provided by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, may be used on the web pages that comprise our web presence. This may include content such as images, videos and texts and buttons that users can use to share the content of our web presence on LinkedIn. If the user is a member of the LinkedIn platform, LinkedIn can attribute the user’s access to the content and functions named above to the user’s LinkedIn profile. LinkedIn Privacy Policy: LinkedIn holds a Privacy Shield certification, through which it guarantees that it complies with European data protection law ( Privacy Policy:, opt-out: