Describe the private banking confidentiality obligations.

Although bank secrecy is not regulated by law, the existence of bank secrecy is generally accepted by the courts. Banking secrecy provisions are an important part of the General Terms and Conditions of Private Banks. Furthermore, the banks must fulfil the confidentiality obligation according to the Federal Data Protection Act and the General Data Protection Regulation (GDPR) (Regulation (EU) No. 2016/679).


What information and documents are within the scope of confidentiality?

Bank secrecy forbids the bank from disclosing customer-related facts; for instance, the existence of agreements between bank and customer or the assessment of the financial status of the customer by the bank.

The Federal Data Protection Act and General Data Protection Regulation (GDPR) protect the personal data of customers. The collection, storage, modification or transfer of personal data or their use as a means of fulfilling one’s own business purposes is possible only under the requirements of the Federal Data Protection Act and GDPR.

Expectations and limitations

What are the exceptions and limitations to the duty of confidentiality?

There are several exceptions and limitations to the duty of confidentiality, for instance:

  • if a bank employee is questioned by a court as a witness in a criminal case in which the customer is the defendant, the employee cannot refuse to answer because of bank secrecy;
  • under certain circumstances, the bank has to disclose account information such as the account number as well as the name and the date of birth of the account holder to the tax authorities, to German Financial Supervisory Authority or to other state authorities;
  • if the client dies, the asset manager has the obligation to report the account balance to the tax authorities; and
  • there is no obligation of confidentiality in legal proceedings of the bank against the customer.

What is the liability for breach of confidentiality?

In case of an infringement of bank secrecy, the Federal Data Protection Act or the GDPR, the customer is generally entitled to damages. However, the customer will not typically be able to prove that the breach caused damage. This means that the breach of confidentiality is more a reputational risk for the bank.

In general, breach of bank secrecy by an employee of the bank is not an administrative or criminal offence. However, the employee of the bank may commit an administrative or criminal offence by breaching the obligations owing to the Data Protection Act or GDPR.

Law stated date

Correct on

Give the date on which the information above is accurate.

12 May 2020.