Information about Data processing and data protection
(Update: 01.06.2020 v1)
This document is intended to inform you as fully as possible about the processing of your personal data by us and your rights under data protection law. The actual processing and use of your data in your own individual case naturally essentially depends on which products and services you use or intend to use, which orders you place and which other activities you engage in.
Who is responsible for the processing of my data and who is my contact person?
The person responsible within the meaning of the EU General Data Protection Regulation is: Digisell GmbH
Fax: +49 (0) 30 - 9203 8393 64
Email: [email protected] www.digisell.com
Where do we get your data from?
We receive most of the personal data that we process in connection with our business relationship from our prospects, customers and authorized representatives. In addition, we process personal data that we lawfully collect from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers) or that we legally receive from third parties (e.g. a credit bureau).
Relevant personal data are, for example, name, address, telephone number, email address, date and place of birth, nationality, legitimation data (e.g. ID card data), authentication data (e.g. signature sample), order data (e.g. payment orders), data from the performance of services (e.g. Turnover data in payment transactions), information about your financial situation (e.g. creditworthiness data, scoring
/ rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. advisory report, technical logging for online-banking).
For what purposes do we process your data and on what legal basis?
We process personal data in accordance with the European General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) in the version applicable from May 25th, 2018 and other relevant legal provisions, which mandate processing specifically for credit institutions:
Fulfillment of contractual obligations (Art. 6 Para. 1 b GDPR)
If we conclude a contract for services or the use of our products with you at your request, we will process your data in order to prepare, execute and fulfill this contract. The purposes of data processing primarily result from the specific product or service (e.g. account or loan) and can include account management and the execution of transactions.
Balancing of interests (Art. 6 Para. 1 f GDPR)
If necessary, we also process your data to safeguard the legitimate interests of us or third parties.
• Consultation and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness or default risks in the lending business and the needs of the garnishment protection account or basic account,
• Examination and optimization of procedures for needs analysis for the purpose of direct customer contact,
• Advertising or market and opinion research, unless you have objected to the use of your data for these purposes,
• Assertion of legal claims and defense in legal disputes,
• Guarantee of IT security and IT operation of the payment service,
• Prevention and investigation of criminal offenses,
• Video surveillance to collect evidence in the event of robberies and fraud or to prove dispositions and deposits, e.g. at ATMs,
• Measures for the security of our buildings and technical facilities (e.g. access controls),
• Measures to control business operations and further development of services and products
• Risk management in the group
Consent (Art. 6 Para. 1a GDPR)
If you have given us your consent to the processing of your data for certain purposes, this is also the legal basis for this. You can revoke your consent at any time. This also applies to the revocation of declarations of consent that you have given us before applying the GDPR, i.e. before May 25, 2018. The revocation of consent does not affect the legality of the data processed until the revocation.
Legal requirements (Art. 6 Para. 1c GDPR), public interest (Art. 6 Para. 1e GDPR)
As a payment service provider, we have various legal obligations to fulfill, statutory requirements such as the Banking Act, Money Laundering Act, Securities Trading Act, Tax Laws, as well as regulatory requirements e.g. the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the Federal Financial Supervisory Authority. The purposes of the processing include, among other things, the creditworthiness check, the identity and age check, fraud and money laundering prevention, the fulfillment of tax control and reporting obligations as well as the assessment and control of risks in the payment service provider and in the group.
Who gets my data?
Within the payment service provider, everyone has access to your data who needs it to fulfill the purposes mentioned. Service providers and vicarious agents employed by us can also receive data for these purposes if they are obliged to comply with banking secrecy. These can be companies in the areas of credit services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.
With regard to the transfer of data to recipients outside of our payment service provider and the service providers commissioned by us, as a payment service provider we are obliged to maintain secrecy about all customer-related facts and assessments of which we are aware. We may only pass on information about our customers if we are legally obliged to do so, if the customer has consented or if we are authorized to provide information. Examples of possible recipients of personal data are:
● Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, Financial Authorities, Law Enforcement Authorities) if there is a legal or regulatory obligation, for example
● Automated retrieval of account information by the Federal Financial Supervisory Authority (BaFin), ordered by paragraph 24c KWG
● Transmission of master and earnings data to the Federal Office of Finance (Bundesamt für Finanzen) when income has been exempted from the withholding tax, ordered by § 45d EStG.
● Other credit and financial service institutions or comparable institutions to which we transmit personal data in order to carry out the business relationship with you (e.g. Deutsche Bundesbank, correspondent banks, other payment service providers or credit agencies)
● Other companies in the group for risk management due to legal or regulatory obligations to which we as a company are subject.
Other data recipients will be considered if you have given us your consent or an express order to transmit data, or you have released us from banking secrecy towards these bodies.
Is data transferred to a third country or to an international organization?
A data transfer to places in countries outside the European Union (so-called third countries) takes place, in case
• it is necessary for the execution of your orders (e.g. payment orders),
• it is required by law (e.g. tax reporting requirements) or
• You have given us your consent or an express order.
How long do we store your data?
We process and store your data as long as it is necessary for the stated purposes, in particular the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a permanent obligation.
If the data is no longer required for the stated purposes, it will be deleted regularly, unless further storage and processing is necessary for the following purposes:
• Fulfillment of legal retention requirements, including from the Commercial Code (HGB), the Tax Code (AO), the Banking Act (KWG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG). The deadlines for storage and documentation specified there are currently two to ten years, whereby the longest deadline must apply in each case.
• Preservation of evidence within the framework of the statutory limitation regulations. According to §§ 195ff. of the Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.
What are my privacy rights?
Every data subject has the right to information (Article 15 GDPR), correction (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and data Transferability (Article 20 GDPR). The restrictions under §§ 34 and 35 BDSG apply to the right to information and the right to erasure. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that you have given us before applying the General Data Protection Regulation, i.e. before May 25, 2018. Please note that a revocation only applies to the future, processing that was carried out before the revocation is not affected.
Am I obliged to provide data?
If you want to enter into a business relationship with us, we need data from you to justify and implement it and to fulfill legal obligations. If you do not provide them to us, we will not be able and / or not allowed to enter into a contractual relationship with you.
In particular, according to money laundering and other legal regulations, we are obliged to identify you on the basis of your ID document before entering into the business relationship and to collect and save names, place of birth, date of birth, nationality, address and ID data. We can only fulfill this legal obligation if you provide us with the necessary information and documents in accordance with Section 4 (6) of the Money Laundering Act and if you immediately report any changes that may arise in the course of the business relationship. You are obliged to do so. If you do not provide us with the necessary information and documents, we may not enter into or continue a business relationship with you.
To what extent is there automated decision making?
We generally do not use fully automated automatic decision-making in accordance with Article 22 GDPR to establish and carry out the business relationship. If we use these procedures for individual products or services, we will inform you separately if this is required by law.
Does “profiling” take place?
We partially process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:
• In order to fulfill legal obligations in the area of combating money laundering and fraud, data evaluations (including in payment transactions) are also carried out. These measures also serve to protect you.
• We use evaluation tools to provide you with targeted information and advice on products and services. These enable communication and advertising tailored to your needs, including market and opinion research.
• We use scoring to assess your creditworthiness. This calculates the probability that a customer will meet his payment obligations in accordance with the contract. Information such as income relationships, expenses, existing liabilities, occupation, employer, length of employment, experience from previous business relationships, contractual repayment of previous loans and information from credit bureaus can be included in the calculation. The scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values are used in the decision on individual contracts and in the risk management of the payment service provider.
Information about your right to object in accordance with Article 21 of the EU General Data Protection Regulation (GDPR)
Right to object on a case-by-case basis
You have the right, for reasons that arise from your particular situation, at any time against the processing of your personal data, which is based on Article 6 paragraph 1 letter e GDPR (data processing in the public interest) and Article 6 paragraph 1 letter f GDPR ( Data processing is based on a balance of interests), to object; this also applies to profiling based on this provision within the meaning of Article 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Right to object to the processing of data for direct marketing purposes
We may also process your personal data for direct marketing purposes. You have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it relates to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be form-free and should be addressed to: Digisell GmbH
Fax: +49 (0) 30 - 9203 8393 64
Email: [email protected]