Privacy Policy
1. Who we are and how you can reach us
Responsible for the processing of personal data within this website is:
RODIAN Identity Services AG
c/o Volkswagen Financial Services Schweiz AG
Geerenstrasse 1
8304 Wallisellen – Switzerland
E-Mail: privacy-openbanking@verimi.com
2. Which data we (do not) process, for what, for how long and on which legal basis
In general, if we intend to process data from you, we will inform you about it here and it will not be used for any purpose that we do not explicitly state in this privacy policy.
2.1 Logging and analysis
We collect data about your access to the site which may allow identification and store it in the form of server log files. The following data is logged in this way:
- IP address
- HTTP status code
- date and time
- the browser identifier (user agent string) transmitted by your browser
- exact file name (URL) of the requested file(s)
- Referer (address from which the respective page is called)
- Request length
- Request duration
- Bytes sent
- Body bytes sent
- Host
- Port
- Protocol
- Scheme
- SSL Protocol
- Method
- URI
These log files are only used in the context of processing errors or improving the website. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal use.
This data is automatically deleted after 6 months, unless it is exceptionally needed for longer (for example, as evidence).
The legal basis for data processing is Art. 6 para. 1 UAbs. 1 lit. f General Data Protection Regulation (GDPR). Legitimate interests in the processing on the basis of Art. 6 para. 1 UAbs. 1 lit. f GDPR are the guarantee of the functionality and security of our website, its improvement and the defense against attacks and other abuses.
2.2 Mandatory cookies and local storage
We use the cookies and local storage listed below on our website, which are mandatory for use.
Name
Domain
Provider
Purpose
Legal basis
Expiration date
cc_cookie
accounts.openbanking.verimi.de accounts.sandbox.verimi.cloud
RODIAN Identity Services AG
cookie for storing user consent
Art. 6 para. 1 UAbs. 1 lit. c GDPR
3 years
_mp_opt_ in_out_d5a 354752a3de3a0b59de 044b6a0af 51
accounts.openbanking.verimi.de accounts.sandbox.verimi.cloud
Mixpanel Inc.
cookie request to ensure that personal tracking is deactivated and no tracking cookies will be persisted
Art. 6 para. 1 UAbs. 1 lit. f GDPR
immediately
mp_d5a354752a3de3 a0b59de04 4b6a0af51_mixpanel
accounts.openbanking.verimi.de accounts.sandbox.verimi.cloud
Mixpanel Inc.
cookie request to ensure that personal tracking is deactivated and no tracking cookies will be persisted
Art. 6 para. 1 UAbs. 1 lit. f GDPR
immediately
_mpq_ d5a354752a3de3a0b5 9de044b6a0af51 _ev
local storage
Mixpanel Inc.
storage for sending Mixpanel messages
Art. 6 para. 1 UAbs. 1 lit. f GDPR
1 second
2.3 Optional Cookies
Below you will find an overview of the cookies that we only use with your consent.
You have the option to object or revoke your consent at any time via the cookie settings (see bottom of the web page bar).
Name
Domain
Provider
Purpose
Legal basis
Expiration date
preselect
accounts.openbanking.verimi.de accounts.sandbox.verimi.cloud
RODIAN Identity Services AG
cookie for remembering the preferred bank
Art. 6 para. 1 UAbs. 1 lit. a GDPR
3 years
2.4 Data processing when using the Account Chooser (selection of the bank when using our service)
Data processing when using the Account Chooser (selection of the bank when using our service) If you use our services, for example to identify yourself to a merchant via your online banking, you will first be directed to the Account Chooser. By entering and selecting your bank, you instruct us to process the data necessary for the forwarding to your bank. To make this possible the following data will be processed by us:
- Bank name
- BIC
- Issuer-URL
The issuer URL and the bank name are generally not stored. If you have given your consent to the comfort cookies, your BIC will be stored in the form of a cookie on your device in order to be able to automatically select your bank for you in the future.
The legal basis for the processing is Art. 6 para. 1 UAbs. 1 lit. b GDPR.
2.5 Data processing for analyses in the context of the use of the Account Chooser (bank selection when using our service)
In order to continuously improve our service for you, we measure the frequency of search entries when using the Account Chooser, which banks are selected and whether the bank selection was successfully completed or cancelled. We use the specialized service provider Mixpanel for this purpose. The usage behavior is transmitted completely anonymously, so that neither a cookie for recognition is set nor the IP address is stored. In order to ensure the functionality of this service, the non-personalized cookies with static values listed in chapter 2.2 are stored and the local memory is used to send the messages.
The legal basis for the data processing is Art. 6 para. 1 UAbs. 1 lit. f GDPR. Legitimate interest in the processing based on Art. 6 para. 1 UAbs. 1 lit. f GDPR is the improvement of our service.
2.6 Data processing upon contact
If you call us or send us a message, for example via the contact form or by e-mail, we need your e-mail address, your postal address or a telephone number if we are to answer you.
Instead of your name, you can also use a pseudonym. We will use this data as well as the date and time of your contact exclusively for processing your request, unless it is clearly a business contact. In the case of a business contact, we will use your data for customer and prospect support, in particular to contact you individually (insofar as this is legally permitted) – if necessary after researching further data – in order to make you offers and to clarify your need for our services and/or the possibility of a cooperation. We assume that this is in your interest. Your data will normally not be passed on to third parties. If we determine that we are not responsible for your request and cannot help you ourselves (for example, if you contact us, but your request concerns the specific service of your bank), we will make every effort to forward your request to the correct contact or to provide you with the correct contact, unless this is clearly not in your interest. We delete your data as soon as it is no longer needed for the respective purpose, i.e. usually three months after the last contact with you, whereby we only delete all requests that are ready for deletion once a quarter for reasons of proportionality. If you have any queries, please contact us again within three months.
If we continue to process your data for the purpose of customer and prospect support, we will delete your data as soon as you object to the processing or by March 31 of the second calendar year after your last business contact or expression of interest.
The legal basis for the data processing is Art. 6 para. 1 UAbs. 1 letters b and f GDPR. Legitimate interest in case of processing based on Art. 6 para. 1 UAbs. 1 letter f GDPR is to fulfill your request or to achieve that your request is fulfilled by forwarding your request or, in case of processing for the purpose of customer and prospect care, to promote the sales of our services and corresponding advertising.
Exceptions: We must store business and commercial letters and other tax-relevant documents in order to fulfill the retention obligations under commercial and tax law; we normally delete them by March 31 of the seventh calendar year after they come into existence, and in the case of accounting documents, of the eleventh calendar year after they come into existence.
The legal basis for the retention under tax law is Art. 6 para. 1 UAbs. 1 letter c GDPR in conjunction with. §§ 147 Fiscal Code of Germany (=Abgabenordnung, AO), 257 Commercial Code of Germany (Handelsgesetzbuch, HGB).
The storage period of your data may deviate from the above-mentioned periods due to statutory retention and limitation periods, for example due to §§ 195 ff. Civil Code of Germany (Bürgerliches Gesetzbuch, BGB).
If your request serves a special purpose (e.g. application), then only the explanations regarding the special purpose apply to the data processing in this context. You may receive these separately.
2.7 Data processing upon application
When you apply to us, we process the information that we receive from you as part of the application process, e.g. by means of a letter of application, CV, certificates, correspondence, telephone or verbal information. In addition to your contact details, information about your education, work experience and skills is particularly relevant to us; without this information, we cannot determine your suitability and cannot consider your application. We will only assess you according to your suitability for the respective position. You do not have to send us a photo. Information about your family situation, etc. is also not required. Since most of our jobs are security-related and for many positions, especially in the technical area, application documents alone are not sufficient, but we would also like to look at source codes created by you, for example, in order to assess your suitability, we usually conduct research on applicants on the Internet. However, we limit ourselves to public information in professional networks, code repositories, technical platforms for discussing problems, for example. We are happy if you point us to representative works by indicating your username. The information researched in this way will not be stored.
Your data will initially be processed exclusively for the purpose of carrying out the application procedure. If your application is successful, it will become part of your personnel file and will be used for the implementation and termination of the employment relationship and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after sending the rejection letter in order to clarify any legal claims that may be necessary. If you have received reimbursements or other tax-relevant transactions (e.g. invitation to a meal), the corresponding accounting documents are regularly stored until March 31 of the eleventh calendar year after the payment at the latest in order to fulfill the retention obligations under commercial and tax law; in the case of commercial and business letters and other tax-relevant documents, they are stored for the seventh calendar year after their creation. The legal basis for data processing in the application process and as part of the personnel file is Section 26 (1) sentence 1 Federal Data Protection Act of Germany (Bundesdatenschutzgesetz, BDSG) and Article 6 (1) subparagraph 1 letter b GDPR and, if you have given your consent, Article 6 (1) subparagraph 1 letter a GDPR. Research in the context of job applications is the legal basis § 26 para. 1 p. 1 BDSG and Art. 6 para. 1 UAbs. 1 letters b and f and, if applicable, Art. 9 para. 2 lit. e GDPR, whereby legitimate interests are the guarantee of security in the company and the selection of suitable applicants. The legal basis for data processing after a rejection is Art. 6 para. 1 UAbs. 1 letter f GDPR. Legitimate interest in this respect is the defense against legal claims. The legal basis for storage under commercial and tax law is Art. 6 para. 1 UAbs. 1 lit. c GDPR in conjunction with. §§ 147 AO, 257 HGB.
As a rule, we do not require any special categories of personal data within the meaning of Art. 9 GDPR for the application process, such as information on your health, religion, ethnic origin, sexual orientation. We ask you not to provide us with such information in the first place. If such information is exceptionally relevant for the application process, we will process it together with your other applicant data. This may, for example, concern information about a severe disability that you can provide to us voluntarily and which we then need to process in order to fulfill our special obligations with regard to severely disabled persons. In these cases, the processing serves the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection. The legal basis for the data processing is then Art. 9 (2) lit. b GDPR, §§ 26 (3) BDSG, 164 Social Code of Germany (Sozialgesetzbuch, SGB) IX.
2.8 Data processing when using the General Demo
For testing and demonstration purposes, we provide the so-called “General Demo”. This demo can be used without prior registration.
When using the General Demo, you usually instruct a third party (e.g. your bank or a trust service provider) to transmit personal data to us for testing and demonstration purposes. The personal data received from us accordingly will be processed exclusively for the testing and demonstration purposes commissioned by you. In order to be able to show certain functionalities of our service, the data will be stored for a short period of time.
Your personal data processed in this context will be automatically and irrevocably deleted every day. If you want to delete your personal data before, this can be done at any time by deleting your created account within the General Demo. The storage period of your data is therefore a maximum of 24 hours.
The legal basis for the processing is Art. 6 para. 1 UAbs. 1 lit. b GDPR.
3. Voluntary provision of your data
You are not obliged to provide us with personal data. If you do not provide us with certain data that we need to process your request (for example, a contact option if you want to receive a response from us), it may be that we cannot process your request. In the context of special procedures (e.g. if you want to use the Account Chooser) it may be necessary that you provide us with certain information, because otherwise we cannot forward you to your bank, for example. However, we will always point this out to you in each individual case.
4. Recipients of the data
As a matter of principle, your personal data will remain within our area of responsibility, except in special exceptional cases (e.g. if we forward an inquiry incorrectly addressed to us to the correct contact), in which case, however, we will explicitly inform you to whom we will forward your data. If necessary, it may be necessary to pass on your data to external advisors, for example in the case of legal disputes to lawyers (legal basis Art. 6 para. 1 UAbs. 1 letter f GDPR; purpose and legitimate interest: Exercise, defense or assertion of legal claims). Our administrators have technically necessary the possibility to access data processed by means of IT. We list further recipients of your data in the explanations of the respective data processing. In certain cases, we have to disclose your personal data to third parties so that you can receive the requested service (e.g. reimbursement of costs in the application process), namely to vicarious agents such as tax advisors, banks and other payment service providers, and postal service providers.
In certain areas, such as web hosting, ticket systems and e-mail hosting, we use specialized service providers:
Web Hosting:
Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
E-Mail-Hosting:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Ticket-System-Hosting:
Atlassian Pty Ltd, Level 6, 341 George St, Sydney NSW 2000, Australia;
These are strictly bound to our instructions with a contract on commissioned processing and may not process the data for their own purposes. The processing by these processors and their further processors only takes place within the EU with the exception of the companies listed below. Should the processing of your data by one of these providers take place in an unsafe third country (countries without a corresponding data protection law), it will be ensured that this is done on the basis of appropriate protection measures in accordance with Art. 44 et seq. GDPR, for example by agreeing on standard data protection clauses of the EU Commission, which are supplemented in individual cases by appropriate protective measures such as encryption of the data in accordance with Art. 46 (2) c) GDPR.
- Microsoft Corporation
- Google LLC
- Atlassian Inc.
5. Automated decision making, profiling
Automated decision-making or profiling does not take place.
6. Your rights
Under the respective legal conditions, you have the right to information, to correction or deletion, to restriction of processing, to object to processing and to data portability with regard to the personal data concerning you. In particular, you have the right to object at any time to the processing of your data for advertising purposes, without incurring any costs other than the transmission costs according to the prime rates of your provider (i.e., for example, the cost of an e-mail = usually none). If the data processing is based on consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent up to the revocation or the processing on another legal basis. If you want to use these rights, you can simply write to privacy-openbanking@verimi.com or revoke your consent for the Comfort cookie via the cookie settings (see bottom of the web page bar). If we call you, you can of course also tell us directly during the conversation.
You also have the right to complain to a data protection supervisory authority about our processing of your personal data, for example the German supervisory authorities. You can find a list of supervisory authorities and their contact details here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
If you have any questions or requests regarding data protection, you can of course also contact us at any time simply by sending an email to privacy-openbanking@verimi.com.
7. Your right to object
Insofar as a processing of your personal data is based on Art. 6 (1) UAbs. 1 lit. e or f GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR. If you object on grounds relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and interests, or the processing serves to assert, exercise or defend legal claims. If your objection is directed against direct marketing, including profiling, insofar as it is related to such direct marketing, we will no longer process your personal data for these purposes.
December 2023