Navigation and service of the Landwirtschaftlichen Rentenbank

jump directly to:

Logo der Rentenbank

open the mobile menu

ESD-3 – Entity-specific disclosure: data protection and information security

Classification in the sustainability statement

Protecting personal data and ensuring information security is a key governance matter for Rentenbank. Due to their cross-cutting relevance for almost all business and support processes, data protection and information security are presented as an entity-specific disclosure. A topical ESRS standard on these matters is not yet available. The following disclosures are closely linked to the explanations on governance structures pursuant to ESRS 2 (GOV) as well as to Rentenbank’s internal control and risk management systems.

Strategic categorisation and objectives

The ongoing digitalisation of business processes, communication channels and data processing is increasing the demands placed on data protection, information security and the resilience of IT-based infrastructure. As a promotional bank with direct federal funding, Rentenbank processes personal data relating to employees, local banks, ultimate borrowers, service providers and other stakeholders. Due to the on-lending principle, contractual and procedural interfaces with on-lending banks are of particular operational and risk-related importance.

As a bank, we are well aware of the growing challenges and risks in an increasingly digitalised world. We place the highest priority on protecting the information about our customers and business partners and on preventing any disruptions to our business operations. We are likewise conscious of the imperative need for effective data protection. We strive to ensure robust digital resilience as a means to counter the growing threats of cyberattacks, technical failures, and unforeseeable emergencies. This resilience is essential to maintaining the trust of customers and business partners and to ensuring the security of business processes. It serves not only to ensure compliance with legal and regulatory requirements, but also to support the sustainable fulfilment of the promotional mandate, the stability of business processes and the protection of sensitive information against unauthorised access, loss or misuse.

Governance, responsibilities and oversight

Overall responsibility for data protection and information security lies with Rentenbank’s Management Board. It ensures that appropriate organisational, technical and human resources are available and that these matters are systematically embedded in the business strategy and in the internal control and risk management system.

The Data Protection Officer appointed by the Management Board, together with their deputy, acts independently and reports directly to the Management Board, both on an ad hoc basis and through an annual activity report. They also advise the organisation on all data protection matters, monitor compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other relevant requirements, and act as a central point of contact for data subjects, business partners and supervisory authorities.

Responsibility for information security is clearly assigned within the organisation to the Cyber Security and Non-Financial Risk department. This department is also responsible for third-party risk management, information and communication technology risk management, and emergency management. By combining these responsibilities in the 2025 financial year, synergies were realised and processes made more efficient.

Principles, policies and due diligence

Data protection and information security are implemented on the basis of binding internal policies. These are based on the legal requirements of the GDPR and the BDSG, banking supervisory requirements, and recognised information security standards.

Key principles include in particular:

  • purpose limitation and data minimisation in the processing of personal data;
  • ensuring the confidentiality, integrity, authenticity and availability of information;
  • the risk-based design of technical and organisational measures; and
  • transparent information for data subjects regarding relevant data processing.

Due diligence includes the identification of relevant risks, the implementation of preventive measures, the structured handling of data protection incidents, and the regular review of the effectiveness of existing processes.

Operational implementation and preventive measures

Rentenbank uses appropriate technical and organisational measures to protect personal data and other sensitive information from unauthorised access. These include role-based access and authorisation concepts, logging and control mechanisms, and measures to secure the IT infrastructure.

Effective information security and emergency management ensures that Rentenbank remains operational even in the event of disruptions, technical failures or crisis situations. Technical contingency plans, clear communication structures and regular drills support the maintenance of orderly business operations.

The processing of personal data generally takes place within Germany or, at a minimum, within the EU/EEA. Transfers to third countries are not envisaged or, where necessary in individual cases, are carried out only in compliance with the requirements of Articles 44 et seq. GDPR.

Information for employees

All new employees receive the brochure Safe Promotional Lending at Rentenbank (Sicher fördern in der Rentenbank). Its main topics are data protection, emergency management and information security, but it also contains information on the Code of Conduct, the Clean Desk Policy, the use of AI technologies and other security-related matters. It also provides information on reporting security incidents and suspected cases, as well as on the relevant contact persons for each topic.

The organisational data protection (Datenschutz) instruction also provides employees with a consolidated set of information on the background, processes and responsibilities relating to corporate data protection.

Awareness-raising, training and risk awareness

A key component of digital resilience is the continuous awareness-raising of employees. All employees receive regular training on data protection, information security and relevant threat scenarios. The aim is to foster long-term risk awareness and ensure that potential incidents are identified at an early stage and handled appropriately.

Training courses provided through an external provider offer employees the opportunity to deepen their knowledge of data protection and information security in an interactive format. Training is mandatory for all employees and participation is tracked. A report is prepared on training courses that have not been completed.

In addition, employees are made aware of risks through simulated phishing attacks conducted with the support of a third-party provider. Such simulated email attacks may, for example, contain links or malicious files. Where employees open links or files, they are made aware of the possible consequences through practical real-life scenarios. Information on the click rate is published quarterly on the intranet. These postings also indicate which psychological tactics were used.

Other awareness-raising measures include intranet postings on selected audits and audit findings, as well as classroom training on current topics.

Handling of incidents, complaints and data subject rights

Rentenbank has established structured procedures for dealing with data protection and information security incidents and for enabling the exercise of data subject rights. Data subjects may exercise their rights under the GDPR. Relevant contact points and complaint mechanisms are transparent and publicly accessible. The protection of personal data is also comprehensively ensured within the whistleblowing system. In the reporting year, there was one serious incident, which was attributable to a system failure at the German Central Bank (Deutsche Bundesbank). This was reported to the competent authorities.

Effectiveness and continuous improvement

The effectiveness of data protection and information security measures is re-viewed regularly. Findings from internal controls, training, incidents and external developments are incorporated into the ongoing development of policies, processes and technical measures.

Data protection and information security therefore form part of an ongoing management and improvement process aimed at ensuring Rentenbank’s long-term stability, integrity and trustworthiness.

Previous chapter Entity-specific disclosure