Datenschutzerklaerung Header 4000Px

Data protection information according to Art. 13 GDPR for institutional brokers

In this data protection notice, we explain how we process your personal data in the context of the registration, trading and custody of crypto assets and how you can exercise your associated rights.

I. RESPONSIBLE BODY WITHIN THE MEANING OF THE GENERAL DATA PROTECTION REGULATION

 

Responsible in the sense of data protection law for the collection and processing of your personal data in the context of our business relationship is

EUWAX AG

Börsenstraße 4

70174 Stuttgart

email: info@boerse-stuttgart.de, b2b.support@bsdigital.com

 

II. CONTACT DETAILS DATA PROTECTION OFFICER

 

Ms. Yvonne Piater

Post: Data Protection Officer, EUWAX AG,

Börsenstraße 4, 70174 Stuttgart

email: dsb@boerse-stuttgart.de

 

III. PURPOSES AND LEGAL BASIS OF DATA PROCESSING

 

For the trading of cryptocurrencies and the associated custody of your cryptocurrencies, we process your personal data as described below.

III.1. Performance for the implementation of pre-contractual measures and contractual obligations (Art. 6 (1) (b) GDPR)

Your personal data will be processed for the necessary purposes of the conclusion of the contract and the Performance of the contract to:

  • you as a "Acting Person" so that you can enter into and administer it on behalf of the company with whom we have a contract;
  • register you as a "user" on our trading interface so that you can trade and manage Crypto assets on behalf of the company with whom we have contracted; 
  • communicate with you when you contact us, when you ask us for information about our company or services, or for the purposes of updating contracts;
  • to carry out the termination of the contract.

III.2. Compliance with legal requirements (Art. 6 para. 1 lit. c GDPR) 

We process your personal data to comply with our legal and regulatory obligations, including regulatory and financial regulations, including, but not limited to:

In the case of "appearing persons":

  • Verifying and updating your identity as part of the KYC (Know Your Customer) process, including, where applicable, the identity of the respective beneficial owners and agents;
  • Assessment, evaluation, if necessary, initiation of measures, if necessary legal reports according to § 43 GwG;
  • Screening of the customer database and transaction filtering that are reasonably designed to ensure compliance with applicable laws;
  • recording transactions for accounting purposes;
  • Preventing and detecting bribery;
  • Origin of funds check;
  • Fulfilment of control and reporting obligations under tax law;
  • To conduct and report various business transactions, transactions or instructions, or to respond to an official request from a duly authorized domestic or foreign financial, tax, law enforcement or judicial authority, any other governmental authority or public body based on legal authorization.

For "Users":

  • Assessment, evaluation, if necessary, initiation of measures, if necessary legal reports according to § 43 GwG;
  • Screening of the customer database and transaction filtering that are reasonably designed to ensure compliance with applicable laws;
  • recording transactions for accounting purposes;
  • Preventing and detecting bribery;
  • Origin of funds check;
  • Fulfilment of control and reporting obligations under tax law;
  • To conduct and report various business transactions, transactions or instructions, or to respond to an official request from a duly authorized domestic or foreign financial, tax, law enforcement or judicial authority, any other governmental authority or public body based on legal authorization.

III.3. Fulfilment of our legitimate interest or the legitimate interest of a third party (Art. 6 para. 1 lit. f GDPR)

Where we base a processing activity on a legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure a fair balance between the interests. As part of our business, we use your personal information to:

  • Identify and manage the risks we face. To this end, we keep evidence of transactions or transactions, including in electronic form;
  • To prevent, detect and process fraud, we monitor your transactions, 
  • to process legal claims and, if necessary, to take over the legal defence in the event of legal disputes;
  • improve cybersecurity, manage our platforms and websites, and ensure operational security;
  • prevent potential incidents and improve our security management;
  • Audit compliance with internal company policies.

III.4. Consent (Art. 6 para. 1 lit. a GDPR)

If, for example, it is expedient to forward your inquiries to third parties in the context of an enquiry from you, this will only be done based on your separate consent. You can revoke your con-sent at any time without giving us reasons, without affecting the lawfulness of the processing carried out based on the consent before the withdrawal. If we need your consent due to the situation, we will inform you accordingly in advance.

 

IV. TYPES OF PERSONAL DATA WE COLLECT

 

We collect and process personal data from you that identifies or allows you to be identified as a specific individual. These include, for example:

In the case of "appearing persons":

  • Identification data: full name, date of birth, place of birth, nationality, private address, copy of identity card or similar;
  • Professional data: function in the company, type of representation, details of "Politically Exposed Persons (PEPs)"; 
  • Contact details: Business email address;
  • Data from interactions with you: contact details, content and metadata from communications with you;
  • Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and unique identification data;
  • Personalized login credentials or security features used to connect you to the Site and Apps.

For users:

  • Identification data: full name, date of birth;
  • Professional data: function in the company;
  • Contact details: Business email address;
  • Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and unique identification data;
  • Data from interactions with you: contact details, content and metadata from communications with you;
  • Personalized login credentials or security features used to connect you to the Site and Apps.

 

V. FROM WHOM DO WE COLLECT PERSONAL DATA?

 

To provide services, we usually collect personal data directly from you. However, we can also use other sources. We also process personal data of third parties:

  • from other companies of the Boerse Stuttgart Group;
  • from our business partners;
  • where applicable, address search service providers who are themselves responsible for collecting the relevant information in a lawful manner (Melissa Data GmbH, Cäcilienstr. 42-44, 50667 Cologne).

 

VI. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?

 

VI.1. Joint responsibility: 

In order to comply with our legal obligations, we exchange the information collected for the purpose of combating money laundering and terrorist financing, combating corruption or applying international sanctions between companies of the Boerse Stuttgart Group. To combating money laundering and terrorist financing, the companies of the Boerse Stuttgart Group exchange data of data subjects associated with companies that are customers of the companies of the Boerse Stuttgart Group. In such an exchange of data between the companies, we are jointly responsible for the data processing. As part of the KYC process, we work closely with the group companies Boerse Stuttgart Digital Holding GmbH, Boerse Stuttgart Digital Custody GmbH and the Association of the Baden-Württemberg Stock Exchange e.V. We act as joint controllers in that the companies Boerse Stuttgart Digital Holding GmbH, Boerse Stuttgart Digital Holding GmbH and the Association of the Baden-Württemberg Stock Exchange e.V. use a joint tool through which the personal data of customers is jointly accessed and used for each other. Requests from data subjects regarding the rights of the data subject may be directed to any of the joint controllers. The joint controllers inform each other about such requests and support each other in processing them.

VI.2 Disclosure to Other Recipients and Data Processors and Purposes

As part of the custody, registration and use of the trading of crypto assets, we also obtain services from carefully selected contractual partners, such as:

  • support us in the context of customer support / key account management (Stuttgart Dig-ital Holding GmbH, Börsenstr. 4, 70174 Stuttgart; Zendesk GmbH c/o TaylorWessing, Neue Schönhauser Str. 3-5, 10178 Berlin; Next Matter GmbH, Gormannstraße 14, 10119 Berlin);
  • provide us with a frontend (Elwood Technologies Services Limited, Waverley House, 7 – 12 Noel Street, London, W1F 8GQ, UK)
  • ensure technical operation (Boerse Stuttgart Digital Holding GmbH, Börsenstr. 4, 70174 Stuttgart); 
  • Assist us in complying with legal and regulatory requirements (Fenergo Ltd., Castle-forbes House, Mayor Street, Dublin 1, D01 A8N0; Notabene ID GmbH, Dammstrasse 16, 6300 Zug, CH).

To fulfil some of the purposes described in the Privacy Notice, we may also share your personal data if necessary to:

  • Other processors who provide services on our behalf (e.g. IT services, telecommunications.);
  • Trade repositories with which we have a relationship where such transfer is necessary to provide you with the services you have requested or to perform our contractual obligations or to execute transactions (e.g. banks, correspondent banks, custodians, securities issuers, paying agents, exchange platforms, insurance companies, payment system operators, issuers, guarantee companies or financial guarantee institutions);
  • local or foreign financial, tax, administrative, criminal or judicial authorities, mediators, public authorities or institutions (e.g. the German Federal Financial Supervisory Authority (BaFin)) at their request; to exercise and defend legal claims, e.g. in the context of legal proceedings or other legal proceedings; to comply with an order or recommendation of a competent authority that applies to us; 
  • certain regulated professions such as lawyers, notaries or accountants, if this is necessary in certain circumstances (litigation, audit, etc.).

 

VII. INTERNATIONAL TRANSFERS OF PERSONAL DATA

 

In the context of crypto asset trading, data transfer to third countries, i.e. to countries outside the European Economic Area (EEA), is generally not intended. However, if this is necessary for the fulfilment of our contract with you, e.g. in the case of transactions of crypto assets, or if this is necessary due to legal requirements, e.g. within the framework of the European Money Transfer Regulation (EU/2023/1113) of 20.05.2023 (EU Travel Rule), this will be done in accordance with the requirements of the General Data Protection Regulation.

 

VIII. DURATION OF DATA STORAGE

 

We do not store your data for longer than we need it for the respective processing purposes. If the data is no longer required for the fulfilment of contractual or legal obligations, it will be de-leted on a regular basis, unless it is still necessary to retain it for a certain period of time. Reasons for this can be, for example, the following:

  • The fulfilment of statutory retention obligations: These are in particular the Commercial Code, the Tax Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The retention and documentation periods specified there are up to ten years.
  • Obtaining evidence of legal disputes within the framework of the statutory statute of limitations: Civil statute of limitations can be up to 30 years, with the statute of limitations being three years.

 

IX. AUTOMATED DECISION-MAKING / PROFILING

 

We process your personal data without the use of automated decision making. 

 

X. RIGHTS OF DATA SUBJECTS

 

Under the statutory requirements, you are entitled to the following rights as a data subject, which you can assert against us. As a data subject, you have the right to obtain information about the personal data concerning you in accordance with Art. 15 GDPR. Your right to infor-mation may be limited by law. This is the case, for example, regarding the Act on the Tracing of Profits from Serious Crimes (AMLA), which prohibits us from providing information on such transactions. In accordance with Art. 16 GDPR, you can have your data corrected or, if the requirements of Art. 17 GDPR are met, deleted.

You also have the right to restrict the processing of your data (Art. 18 GDPR). If you can assert a special personal situation, you can object to the processing of your data in general or in parts (Art. 21 GDPR). For data that you have provided to us, you can request a copy in a common format (Art. 20 GDPR). You can revoke any consent you have given us for the processing of your data at any time. Contact dsb@boerse-stuttgart.de with it.

Further contact options are listed above under "Contact details data protection officer". Please note that the revocation only takes effect for the future and that processing that took place be-fore that does not become unlawful as a result.

You are also entitled, under the conditions of Art. 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR. The right of appeal exists without prejudice to any other administrative or judicial remedy.

 

RIGHT TO OBJECT: You have the right to object at any time to the processing of your data that is carried out based on Art. 6 (1) (f) GDPR (balancing of interests) if there are reasons for this that arise from your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We will take this contradiction into account for the future. We will no longer process your data for direct marketing purposes if you object to the processing for these purposes. The objection can be made in any form and should be addressed to: Ms. Yvonne Piater,

by mail:

Data Protection Officer, Boerse Stuttgart Digital Custody GmbH, 

Börsenstraße 4,

70174 Stuttgart,

by email: dsb@boerse-stuttgart.de.