Data Protection
KfW Development Bank’s data protection principles
You can rely on the protection and safety of your personal data. Protecting your privacy when processing your personal or personally identifiable data is our responsibility. The following data protection principles provide an overview of the processing of your data and the rights you have under data protection regulations when using the products and services of KfW Development Bank. KfW Development Bank is a business area of KfW.
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable legal regulations.
1. Who is responsible for data processing and whom can I contact?
The following party is responsible:
- KfW (hereinafter “we” or “us”)
Palmengartenstr. 5–9
60325 Frankfurt, Germany
Tel: +49 69 74 31-0
Fax: 069 74 31-29 44
You can reach our company data protection officer at:
- KfW
Data protection officer
Palmengartenstr. 5–9
60325 Frankfurt, Germany
2. Who receives my data?
Within KfW Development Bank, the departments that need your data to fulfil our contractual and legal obligations receive access to your data. Service providers and subcontractors whose services we use may also receive data for these purposes if they observe banking secrecy and data protection. With regard to the transfer of data, we have undertaken to maintain confidentiality concerning all customer-related facts and assessments about which we become aware (banking secrecy).
We may only disclose information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide such information for other reasons. Under these conditions, recipients of personal data could include:
- Public bodies and institutions (for instance, federal ministries such as Federal Ministry of Finance (BMF), Federal Ministry for Economic Cooperation and Development (BMZ), German Federal Foreign Office, the Deutsche Bundesbank, the Federal Financial Supervisory Authority, the Federal Court of Auditors, courts of auditors in the German states, the Federal Parliament including its committees, European Banking Authority, the European Central Bank (ECB), the European Investment Fund (EIF), the European Investment Bank (EIB), the European Commission, German federal and state ministries, financial authorities and official bodies) in the event of a legal or official obligation.
- Other credit and financial services institutions or similar institutions to which KfW transfers personal data for the purpose of managing its business relationship with you (e.g. commercial banks or credit agencies, depending on the contract).
- Service providers who process data on our behalf (such as data centres, consultants, external technical experts).
- Judicial and police authorities, law enforcement agencies
- Other bodies or service providers, insofar as we refer explicitly to them in these privacy notices or other KfW Development Bank privacy policies.
Other data recipients may be bodies for which you have given us your consent to transfer data, or for which you have exempted us from banking secrecy by agreement or consent.
If you need further information on individual recipients, please do not hesitate to contact us.
3. Is data transferred to a third country or an international organisation?
Data is not transferred to entities in countries outside of the European Union (known as third countries), with the exception of the cases specified in these privacy notices or other KfW privacy policies found at www.kfw.de and the KfW Privacy Note.
In the case of a transfer to a third country, this only takes place under the use of suitable guarantees for an adequate level of data protection (Article 44 et seq. GDPR), for example if the data transfer is necessary for the performance of your contractual relationship, is required by law or you have given us your consent. If personal data is transferred by KfW Development Bank from the European Union/European Economic Area to its legally dependent Country Offices, KfW Development Bank uses data protection-compliant tools to ensure proper processing in accordance with European standards (guarantee statement):
4. How long will my data be stored?
The duration for which the personal data is stored is based on the fulfilment of the respective processing purposes and the respective retention obligations contrary to deletion. The criteria to determine the respective individual storage periods are the following:
1. If we only process data for the purpose of executing a contractual relationship, we store the data for the duration of the contractual relationship
2. Where we process data in connection with anticipated legal disputes, we will store the data until the court proceedings have definitively been completed or until the claims at issue have become time-barred in accordance with the applicable civil law provisions. The general limitation period is three years.
3. In addition, we are subject to various storage and documentation requirements arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG), among others. The periods for retention and documentation stipulated in these laws range from two to ten years.
5. What are my data privacy rights?
If the statutory prerequisites are met, you have the following rights in accordance with Articles 15 to 22 GDPR:
- Right of access in accordance with Article 15 of the GDPR, i.e. the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, and, where that is the case, access to this personal data and other information;
- Right to rectification in accordance with Article 16 of the GDPR if personal data concerning you is not correct;
- Right to erasure in accordance with Article 17 of the GDPR, e.g. when the personal data is no longer necessary in relation to the purposes for which it was processed;
- Right to restriction of processing in accordance with Article 18 of the GDPR; as well as
- Right to data portability in accordance with Article 20 GDPR, i.e. the right to receive your personal data from us in a structured, commonly used and machine-readable format and the right to transmit that data to another controller. However, in accordance with the second sentence of Article 20(3) GDPR, this right shall not apply to processing necessary for the performance of a task carried out in the public interest.
With respect to the right of access and the right to erasure, the restrictions pursuant to Articles 34 and 35 of the German Federal Data Protection Act apply.
In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR).
6. Right to object in individual cases in accordance with Article 21 GDPR
You have the right to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(1)(f) GDPR (data processing for the purposes of legitimate interests) or Article 6(1)(1)(e) GDPR (data processing for the performance of a task carried out in the public interest), insofar as reasons arise from your particular situation that provide arguments against the processing of this data. This also applies if automated individual decision-making is used (Article 22 GDPR).
If you raise an objection, we will no longer process your personal data, unless we can provide compelling evidence as to why processing is worthwhile that override your interests, rights and freedoms, or unless processing serves to assert, exercise or defend legal claims. This does not apply if we conduct direct advertising on the basis of the aforementioned provisions. In the event of an objection to the processing of personal data for direct marketing purposes, the personal data concerned will no longer be processed for these purposes without restriction and regardless of any balancing of conflicting interests.
Objections pursuant to Article 21 GDPR can be addressed in writing or by email to KfW or KfW’s Data Protection Officer using the contact information provided under clause 1. Alternatively, an objection that only concerns direct marketing can be sent to widerspruch@KfW.de.
7. No automatic decision-making in particular cases
No automated decisions within the meaning of Article 22 GDPR are made in connection with the promotion.
8. Visitors to the website
8.1. Which sources and data does KfW Development Bank use?
We process personal data that we receive as part of your use of this website and contact forms, subscription to newsletters and submission of complaints.
Personal data we process includes contact data such as name, address, telecommunications data, IP address, telemetry data, log data and email address.
8.2. What does KfW Development Bank process your data for and what is the legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable legal regulations.
For technical reasons, it is necessary to collect and store certain personal data when you visit our website and our portals, such as the IP address, the date and duration of your visit, the websites used, the identification data of the used browser and operating system type and, if applicable, the website from which you arrived at our site. The legal basis for processing your personal data in this context is Article 6(1)(1)(f) GDPR.
The products and services cited as examples below, which you can find on our website, require you to provide additional personal data in order to use them.
8.2.1 General communication and mailing of our newsletters
• General communications, particularly via the contact form
• Processing other enquiries
• Sending newsletters
If you have given us your consent to process personal data for specific purposes (e.g. to send our newsletter), this consent serves as the legal basis for processing the data (Article 6(1)(1)(a) GDPR). Consent which has been granted may be revoked at any time. This also applies to revoking declarations of consent that were issued to us before the GDPR took effect, i.e. before 25 May 2018. If consent is revoked, the legality of data processing carried out before consent was revoked is not affected.
8.2.2 Analysis of user behaviour and direct marketing – for the purpose of safeguarding legitimate interests:
- Testing and optimising demand analysis procedures for the purpose of improving how we approach business partners.
- Advertising or market research and polling, as long as you have not objected to the use of your data
- Measures in relation to business management and the further development of services and products.
The legal basis for processing your personal data in this context is Article 6(1)(1)(f) GDPR unless we have, in individual cases, obtained your consent. Pursuant to this provision, processing personal data is permissible if this is necessary for the purposes of legitimate interests except where such interests are overridden by the interests or fundamental rights of the data subject which require that the personal data are not processed. We have a justified interest in aligning our offers with business partner behaviour and optimising them. We believe that these interests prevail since, as an international financial institution, we must control and optimise our offers in order to fulfil our promotional mandate. The alignment with our business partners allows us to offer and optimise services according to the needs and interests of our business partners. We protect the relevant data in such a way that we do not see any overriding disadvantages for you.
8.2.3 Risk management and compliance
- Assertion of legal claims and defence in legal disputes
- Prevention and investigation of criminal activities
- Guarantee of IT security and IT operations at the bank
- Risk management in the bank.
The legal basis for processing your personal data in this context is Article 6(1)(1)(f) GDPR. Our legitimate interest consists in complying with applicable legal provisions, maintaining the security of our IT systems and, in case of non-compliance with legal requirements or violations of security regulations, responding adequately to such circumstances, for instance by establishing legal claims. We believe that these interests prevail since, as a bank, we are subject to a significant number of regulatory requirements and have a responsibility towards our customers to ensure that the corresponding requirements and security regulations are complied with. We protect the relevant data in such a way that we do not see any overriding disadvantages for you.
8.2.4 Social media
As part of our website, we use various social media plugins (Facebook, X, LinkedIn, Xing) for the purpose of sharing website content. In particular, for reasons of data protection compliance, the respective social media plugins are not directly accessible but are indirectly integrated using the so-called “Shariff” solution. This solution prevents a connection to a social network from being established simply because you call up a page with a social plug-in without activating it. Information is only transmitted to the social network if you activate the corresponding button of the respective social media provider. Activating the plugin by clicking on the button constitutes consent within the meaning of Article 6(1)(1)(a) GDPR.
By activating the plugin, you will provide the social media platform with the information that you have opened one of the web pages of the platform on the Internet. If you are already registered with the social media platform, it will be able to link your visit with your account on the social media platform. However, even if you have not yet registered with the social media platform, it is not possible to preclude the possibility that it will collect and/or store your IP address after you click on the platform. We have no influence on this further processing of your personal data by the social media providers. This takes place outside our liability.
In addition, we would like to point out that KfW has its own company profiles on various social media platforms for public relations purposes. Further information on this can be found in KfW’s Social Media Privacy Policy. Section 5 provides an overview of the social media used by KfW and the further data protection information they provide. Please inform yourself about this in addition to further details of how data is processed by social media.
8.2.5 Cookies and other technologies
We use cookies and other technologies on the one hand for the operation of our website and on the other hand for pseudonymised recording of website use. In this way, we can conduct analyses of user behaviour by collecting and analysing the information communicated by your browser. However, none of these analyses are linked to individual persons. Any personal identification characteristics, in this case the IP address, are deleted at the moment of processing and replaced by an indicator, which makes it impossible or at least extremely difficult to identify the data subject. This methodology ensures that KfW Development Bank is routinely unable to establish a concrete link to the particular person.
We have explained in detail which cookies and other technologies are used for which specific purposes and on what legal basis this takes place in our cookie policies. This is also where you have the option to manage them.
You can open the cookie policies by clicking on the blue circular symbol with the fingerprint at the bottom left of this page.
9. Bidders and Consultants
9.1.1 Awarding procedure
In the case of awarding procedures, we process your personal data for the purpose of processing the bidder documents and, if successful, the other personal data necessary for the implementation of a contract. This includes the follow-up of the implementation of a contract and payment processing. This concerns, for example, the name, contact and identification data of the persons involved in the awarding process, personal data necessary for the selection of the bidder (e.g. qualifications) or payment processing (e.g. time sheets, banking connection).
There are various legal obligations for which compliance may require the processing of your personal data. This includes, for example, legal requirements (e.g. from the German Banking Act, the Money Laundering Act, from tax laws, budgetary provisions as well as derived (banking) regulatory requirements (e.g. from the Deutsche Bundesbank, the Federal Financial Supervisory Authority or the Federal Office for Economic Affairs and Export Control). The purposes include, for example, identity verification, prevention of fraud, money laundering and terrorist financing, compliance with tax duties and obligations under aid and procurement law or maintaining the security of IT systems.
The legal basis for processing your personal data in this context is Article 6(1)(1)(b) and (c) GDPR.
Any further use and disclosure of your data will not take place without your explicit consent.
9.1.2 Qualification lists
We maintain qualification lists for future projects. These lists allow us to identify and contact suitable consultants, tender agents and other experts.
If you have worked for KfW Development Bank as an expert and are not currently supervising an active project or have applied for a project, you have the option of voluntarily consenting to inclusion in a qualification list. We will then keep your data for a maximum of 5 (five) years from the last contact with you.
The purpose of the processing is to contact you again and/or to update your qualification data.
For this purpose, we require your consent to the processing of your data, such as your contact information and your relevant qualifications.
You can withdraw your consent at any time. The lawfulness of the processing up to this point in time remains unaffected by the revocation. After revocation, we will delete your data, unless further storage is required due to statutory retention periods or other data protection reasons.
In cases where we have entered into a contractual relationship with you, we process your personal data, such as your contact data and qualifications for the purposes of the implementation of a contract and possibly subsequent contact for similar projects on the basis of a contractual relationship pursuant to Article 6(1)(1)(b) and in connection with the performance of our public duties pursuant to Article 6(1)(1)(e) GDPR in conjunction with the Law Concerning KfW
After the end of the contractual relationship, you can ask us to delete your personal data from the qualification lists at any time. If you do not do so, we will store your data for a maximum of 5 (five) years from the last contact and then delete it.
10. Project partners in FC projects
We process data from project partners and their employees in FC projects for project initiation, project review and contract preparation, contract conclusion, implementation, project completion and appraisal. This involves the processing of names and contact data in the organisational context (such as the business e-mail address) of the persons and employees present, the identification data as part of the KYC check (persons present) and – in individual cases – images created as part of projects. In particular cases, individuals may be depicted. As part of the KYC check, KfW Development Bank also offers a “Video-Ident” video identification procedure. During the identification process using Video-Ident, personal data is collected to the required extent for identification and documentation purposes and processed by a service provider for a specific purpose. Only the result of the identification process will be forwarded to KfW after completion of the identification.
The legal basis for processing your personal data in this context is Article 6(1)(1)(b) and (c) GDPR.
The data will not be used or shared in any other way.
The data is generally processed in KfW’s own data centres with very high security standards. In addition, KfW uses central infrastructure and cloud services to achieve reliable data processing with correspondingly short processing times and a high level of multi-layered security methodology. KfW only uses server locations within the European Union and does not intend to transfer data to third countries. Nevertheless, as part of an international group, the European cloud service provider used by KfW may be obliged to hand over personal data to security authorities via its parent company on the basis of non-European legal systems – including countries that do not have privacy protection laws equivalent to GDPR.
11. Complaints
We process your complaints in connection with FC projects or awards that affect you negatively and process the information you provide, such as your email address and/or the content of your complaint. These complaints can be submitted in writing (by email or web form) or in writing via a KfW Development Bank Country Office.
The legal basis for this is the fulfilment of a legal commitment pursuant to Article 6(1)(1)(c) GDPR to process your complaints. In addition, you give us your voluntary consent pursuant to Article 6(1)(a) GDPR in the case of transmission in writing, by telephone or verbally. We will forward your complaint to internal specialist departments within the framework of our legitimate interests (Article 6(1)(1)(f) GDPR) if this is necessary for the processing of the complaint. Furthermore, the processing of the complaint may also be in the public interest pursuant to Article 6(1)(1)(e) GDPR if the complaint relates to FC projects of general public interest.
When processing/answering your complaints, transfer to third countries is possible. If you have sent us a letter, we will reply to your sender address. If you have contacted us electronically, we will also contact you via this channel to discuss the matter if necessary. To preserve your anonymity, your personal data will not be passed on to third parties unless you have expressly consented to this. The legal basis for the transfer is Article 49(1)(d) GDPR, as the transfer is necessary for important reasons of public interest.
As of: Mai 2025