Privacy Policy

The protection of your personal data is a declared goal of Verimi GmbH (as follows Verimi). Data protection is of particular importance to Verimi and is carried out in accordance with the relevant legal provisions. With this statement we would like to inform you about the processing of your personal data at Verimi. , to fulfil our information obligations under Art. 12 et seq. of the General Data Protection Regulation (GDPR).

Responsible body

Responsible for data processing within the meaning of the data protection law is the:

Verimi GmbH
Oranienstraße 91
10969 Berlin

E-mail: service@verimi.com

Telephone: 0800-8374644 (free of charge from the German fixed and mobile networks)

Authorised representative managing directors: Roland Adrian, Dr. Dirk Woywod

Data protection officer

If you have any questions regarding data protection, please contact our data protection officer:

TechGDPR DPC GmbH
Heinrich-Roller-Straße 15
10405 Berlin

E-Mail: verimi.dpo@techgdpr.com

Personal data

Personal data is any information relating to an identified or identifiable natural person. In order to create a Verimi-Account with us, you must provide the following information during registration: First and last name, title, e-mail address and a password. Unfortunately, you will not be able to use the services of Verimi if you do not enter these mandatory details. In your Verimi-Account, you can also enter other data, such as your maiden name, date and place of birth, title, addresses, company, function, telephone numbers, customer numbers, bank details, payment and tax information, identification documents, body measurements, financial information, travel preferences, information from customer loyalty programs, or an overview of the equipment you use.

For the use of the COVID Pass function, the following categories of personal data are also collected, some of which contain special categories of personal data in accordance with Article 9 para. 1 GDPR:

COVID vaccination status

Surname, first name, date of birth, disease against which vaccination is carried out (corona), vaccine, product, manufacturer, vaccination number, vaccination date, country and issuer of the technical certificate as well as the unique identification number for the certificate (UVCI for short)

COVID Test Results

Surname, first name, date of birth, illness (against which testing is being carried out), type of test, product name, test manufacturer, date and time of sampling, test result, test centre or facility, country of testing, certificate issuer and certificate recognition

COVID recovery data

Surname, first name, date of birth, illness from which the citizen has recovered, date of the first positive test result, country of testing, certificate issuer, validity and certificate recognition

Driver’s license

The following categories of personal data are collected for the use of the driver’s license function:

Surname, first name, date of birth, place of birth, date of issue of the driver’s license, expiry date if applicable, issuing authority, driver’s license number, driver’s license classes, date of issue, validity and restrictions or addional information

Encryption

All data, including identity attributes and transaction data, are encrypted with user-specific keys and stored authentically (i.e. secured against manipulation) together with the Verimi ID. For this purpose, individual keys are generated for all users. For more information, see the Security Whitepaper.

Purposes and legal basis of our data processing

In order to create a Verimi-Account with us and use the various services provided by Verimi, you must register with Verimi and sign a user agreement with Verimi (see our terms of use).

The legal basis for the processing of your data by Verimi is the fulfilment of the contract of use between you and us (Art. 6 para. 1 lit.b) GDPR).

For some Services of Verimi (e. g. COVID Pass) you can also store special categories of personal data according to Art. 9 para. 1 GDPR, in particular health data.

The legal basis for the processing of this data is your express consent (Art. 6 para. 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR).

We also process data in order to send you e-mails on the basis of your consent to the sending of newsletters.

The legal basis for the processing of this data is your consent (Art. 6 para. 1 lit. a) GDPR).

Verimi may also be subject to statutory processing obligations. This is particularly the case if Verimi is subject to a statutory identification obligation under the German Money Laundering Act (Geldwäschegesetz – GwG) or a tax retention obligation under the Tax Code (Abgabenordnung – AO), value added tax law (Umsatzsteuergesetz – UStG) or commercial retention obligation under the German Commercial Code (Handelsgesetzbuch – HGB).

If you use the digital signature, we are obliged to carry out an identification procedure. In doing so, we process your e-mail address, mobile phone number, name, address, date of birth and identification data and must retain these afterwards. Furthermore, we are subject to processing obligations when using the payment function. You can find more information on this in the “Supplementary privacy policy when using Verimi Pay, Verimi Bank-Ident and for accessing online bank accounts”.

The legal basis for the processing here is the legal identification obligation according to GwG (Art. 6 para. 1 lit. c) GDPR).

Should you decide to store verified data, which have been collected by a third party through an identification process, in your Verimi-Account for future use, it is possible that data which we do not process on the basis of a legal obligation will be processed together with data which are subject to legal processing obligations to the same extent. This applies in particular to personal data that is technically inseparable from the legally stored document files.

The legal basis for the processing of this data is our legitimate interest (Art. 6 para. 1 lit. f) GDPR). This consists in the user-friendly provision of our services as well as the possibility of storing the above-mentioned verified data for the purpose of repeated usability.

Finally, in your and our interest, we also process your log files (IP addresses, meta and communication data, website access and other data generated via a website) in order to ensure the integrity, confidentiality and availability of the data processing systems, i.e. in particular the security and availability of your data at Verimi.

The legal basis for the processing of this data is our legitimate interest (Art. 6 para. 1 lit. f) GDPR). This consists in the maintenance and safe provision of our services.

App permissions

When using the Verimi app and using the 2-factor authentication (2FA), a smartphone with the minimum required version of the mobile operating system is required. Depending on the choice of service, the following accesses may be required:

Photos/Media/Files

  • Read USB memory contents
  • Change or delete USB storage contents

 

Memory

  • Read USB memory contents
  • Change or delete USB storage contents

 

Camera

  • Take pictures and videos

 

Microphone

  • Record audio

 

Wi-Fi connection information

  • Recall Wi-Fi connections

 

Other

  • Retrieve data from the Internet
  • Get network connections
  • Pair with Bluetooth devices
  • Change network connectivity
  • Control light display
  • Access to networks
  • Change audio settings
  • Control near-field communication
  • Control vibration alarm
  • Disable hibernation

Cookies

We use cookies on our website. You will find more detailed information on this in the overview of cookies as a PDF file for download (see below). You can at any time change your settings in section “cookie preferences”, at the bottom of the page.

Essential Cookies

Essential cookies enable basic functions and are necessary for the proper functioning of our website.

The legal basis for the processing of this data is our legitimate interest (Art. 6 para. 1 lit. f) GDPR). This consists in the operation of our website.

Provider
Host
Name
Purpose
Storage time
Third party access (yes/no)
WordPress
.wordpress.com
wordpress_test_cookie
Cookie is placed to every visitor by WordPress to check if the browser accepts cookies (session cookie)
Session
yes
Borlabs
.verimi.de
borlabs-cookie
saves the cookie settings of a visitor
1 year
no
Provider
WordPress
Host
.wordpress.com
Name
wordpress_test_cookie
Purpose
Cookie is placed to every visitor by WordPress to check if the browser accepts cookies (session cookie).
Storage time
Session
Third party access (yes/no)
yes
Provider
Borlabs
Host
.verimi.de
Name
borlabs-cookie
Purpose
saves the cookie settings of a visitor
Storage time
1 year
Third party access (yes/no)
no

Social Media Cookies

We integrate functions of social networks on our website.

The legal basis for the processing of this data is your consent (Art. 6 para. 1 lit. a) GDPR and Art. 49 para. 1 lit. a) GDPR).

In doing so, you also consent to the processing of your data for transmission to third countries. In this context there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that the enforceability of your data subject rights cannot be guaranteed. You may change your cookie settings at any time.

Provider
Host
Name
Purpose
Storage time
Third party access (yes/no)
Youtube
.google.com
NID
The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
6 months
yes
Twitter
.twimg.com
_widgetsettings
Collects data of user behavio-ur and interaction in order to optimize the website accordin-gly and display more relevant content to the user
until consent revoked
yes
Twitter
.twitter.com
local_storage_support_test
The cookie is being used as part of the local storage. The cookie enables faster loading of content already visited by the user.
until consent revoked
yes
Provider
Youtube
Host
.google.com
Name
NID
Purpose
The NID cookie contains a unique ID Google uses to re-member your preferences and other information, such as y-our preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
Storage time
6 months
Third party access (yes/no)
yes
Provider
Twitter
Host
.twimg.com
Name
_widgetsettings
Purpose
Collects data of user behavio-ur and interaction in order to optimize the website accordin-gly and display more relevant content to the user
Storage time
until consent revoked
Third party access (yes/no)
yes
Provider
Twitter
Host
.twitter.com
Name
local_storage_support_test
Purpose
The cookie is being used as part of the local storage. The cookie enables faster loading of content already visited by the user.
Storage time
until consent revoked
Third party access (yes/no)
yes

Receiver of data

You have the possibility to transfer all or part of the data stored in your Verimi-Account to our Verimi partners for specific purposes. Verimi will only transfer your data on your behalf at your request and with your express consent. Once your data has been transmitted to a Verimi partner, the processing of your data is the responsibility of the partner. The Verimi partner is then the responsible person of Art. 4 No. 7 GDPR.

In order to be able to offer you all functions at Verimi, we also use selected service providers who process data on our behalf. We only pass on data to service providers carefully selected by us and commissioned in text form within the scope of legally permissible order processing. These service providers receive only those data that are necessary for the fulfilment of the order and process them exclusively on our instructions.

These include the following categories of processors: identification service providers, software developers, hosters of servers, cloud storage and mails, technical service providers, service providers for sending e-mails and newsletters, providers of ticket systems, customer support, content management system providers, customer relationship management providers and web analysis services. Otherwise, a transfer to other recipients will only take place if we are legally obliged to pass it on or if you have given your consent in this respect.

In principle no data transfer outside the EU

Verimi processes your data on servers located within the European Union. This also applies to service providers commissioned by us for data processing. In rare individual cases, e. g. when using our support your data may be transferred outside the European Union. In these cases Verimi ensures that the level of protection required by the GDPR is maintained, e.g. by means of adequacy decisions or other appropriate guarantees.

Duration of data storage

We store your data for the duration of your Verimi-Account. As long as your Verimi-Account exists, the contract of use between you and Verimi is also valid. However, you can delete your Verimi-Account at any time and thus terminate the contract between you and Verimi. This also applies to services to be considered individually, such as e.g. COVID Pass and driver’s license. We will then delete your data, unless we are legally obliged to continue storing or keeping it. A retention obligation may result, for example, from legal requirements for the use of the Verimi Pay function “Verimi Pay”, see the “Supplementary privacy policy when using Verimi Pay, Verimi Bank-Ident and for accessing online bank accounts”. Furthermore, we are legally obliged to keep your identification data for 10 years if you have used our signature function. Insofar as the data is still required for the processing of outstanding transactions, it will be deleted at the earliest after these transactions have been completed.

Your log files (IP addresses, meta and communication data, website access and other data generated via a website) will be deleted after two weeks.

No automated decision making and profiling

The processing of your personal data by us is not related to automated decision making or profiling unless explicitly stated otherwise, , see e.g. “Supplementary privacy policy when using Verimi Pay and for accessing online bank accounts”.

Data security

All data stored by us or by any order processors are protected against unauthorised access, loss and modification by applying current security standards. For this purpose, extensive technical and organisational security measures are applied with a standard that at least corresponds to the legal requirements. You can find more details in the Security Whitepaper.

Your rights

You have the following rights in relation to the data concerning you:

  • Right to information about your stored personal data, their origin and possible recipients and the purpose of the data processing (Art. 15 GDPR),
  • Right of correction of incorrect data or deletion of the processed data (Art. 16 and 17 GDPR),
  • Right to restrict processing (Art. 18 GDPR),
  • Right to withdraw your consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation (Art. 7 GDPR),
  • right to data transferability (Art. 20 GDPR),
  • Right of objection within the framework of the statutory provisions. If the data processing by us is based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).

 

In order to exercise your rights, please send us an informal message (see above Controller)

Right of appeal

If you believe that the processing of your personal data by us is unlawful or that we are in breach of data protection law for other reasons, you can complain to the supervisory authority responsible for us:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219

10969 Berlin

Phone: +49 30 13889-0

Fax: +49 30 2155050

E-mail: mailbox@datenschutz-berlin.de

If you have any questions about our privacy policy or about data protection at Verimi, please do not hesitate to contact us (see above Controller).

Supplementary privacy policy when using Verimi Pay, Verimi Bank-Ident and for accessing online bank accounts

As far as you decide to use Verimi Pay, the identification method “Verimi Bank-Ident”, the payment initiation or account information service or the conclusion of the user contract aims at the use of Verimi Pay, the payment initiation or account information service, the information presented under this section shall apply in addition to the other data protection notices:

1. Verimi Pay:

Performance of the payment function

Processing purposes and legal basis

In order to use Verimi Pay, you give us a direct debit mandate for your account to collect payments. For this purpose, we need information about your bank account and your verified identity data (title, first name and surname, maiden name, pseudonym, date of birth, place of birth, nationality, residential address, type of identification document, date of issue, issuing authority, document number and expiry date). We also check whether you are a politically exposed person or are sanctioned. If this information is not already in your Verimi-Account, we will ask you to provide it.

When you use Verimi Pay, we process your personalized security features required to authorize the transaction. In addition, we collect and store the payment and transaction data for the transactions you initiate. We communicate these data to the credit institution we have entrusted with the management of the escrow account for payments.

In case of overdue payments, we will also use this data for debt collection. We store this data until one month after the last balance payment has been made for our legitimate interest of credit management (Art. 6 para 1 lit. f) GDPR).

The legal basis for the processing of this data is Art. 6 para. 1 sentence 1 b) GDPR, as the processing is necessary for the use of Verimi Pay within the framework of the contract of use existing between you and us.

Credit assessment

In order to be able to use Verimi Pay, we carry out a credit check. For this purpose, we transfer your personal data (first name and surname, title, sex, date and place of birth, nationality, residential address) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and in return we receive personal data from SCHUFA regarding your creditworthiness (Score Points and Score Group). Should it come to the titling of a claim in case of breach of contract on your part, we will report your personal data on the respective transaction (title, first and last name, residential address, amount, date, bank account) to SCHUFA. The legal basis for these transmissions are Art. 6 para. 1 lit. b) GDPR.

The SCHUFA processes the data received and also uses it for the purpose of profile formation (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland as well as, if applicable, other third countries (provided that a decision on appropriateness has been made by the European Commission) with information, among other things, to assess the creditworthiness of natural persons. More detailed information on SCHUFA activities can be found in the SCHUFA information sheet pursuant to Art. 14 GDPR or online at https://www.schufa.de/en/data-privacy/.

The admission to Verimi Pay by means of credit assessment and the granting of higher usage limits are automated decisions in individual cases according to Art. 22 GDPR. The automatic decision making is necessary in order to fulfil our contractual obligations towards you. If the forecast value obtained for your credit rating is below a predefined limit, Verimi Pay cannot be used by you or only with limited usage limits, without a non-automated decision being necessary. You have the right to contact us and state your point of view and to suggest a change of decision. For this purpose, please contact the above-mentioned contact address.

Verification of the bank account

In order to be able to use Verimi Pay you have to deposit an online bank account in your Verimi-Account, from which the payments can be debited. However, the bank account can only be successfully deposited if you successfully log in to your bank account using the account information service (section 3). Furthermore, we match the account holder name collected from the bank account with the name from your Verimi-Account. This is to prevent fraud and, if you have not yet provided us with another verified identity, to comply with identification obligations under money laundering legislation.

The legal basis for this processing is fulfilling legal processing obligations to prevent data misuse and criminal offences (Art. 6 para. 1 lit. c) GDPR and § 59 para. 1 ZAG).

2. Payment initiation service:

If you use Verimi’s payment initiation service (online bank transfer function), we process the transaction data (IBAN, BIC, beneficiary, beneficiary account, purpose of transfer, amount and confirmation of the transaction). The transaction data can also be transmitted to the beneficiary. We also collect the data you use to login to your bank account and to initiate the payment (using a second factor, e.g. TAN), but this data is only transmitted to your bank and is not stored by Verimi. The processing purpose for this payment initiation service is the fulfilment of the user contract with you, art. 6 para. 1 b) GDPR.

3. Account Information Service:

If you use Verimi’s account information service (e.g. for account verification), we will process the account information according to your order. We will obtain your consent before collecting information and data from your account. In this consent you will be specifically informed about the data to be processed and the purposes of processing. For example, after your consent, we collect IBAN and your name in order to be able to assign the account details given to you. Furthermore, we collect the data (including any necessary second factor, e.g. TAN) that you use to log in to your bank account. However, this data is only forwarded to your bank and is not stored by Verimi. The legal basis for the processing of your data for the account information service is the fulfilment of the user contract with you, Art. 6 para. 1 b) GDPR.

4. Verimi Bank-Ident:

If you choose the Verimi Bank-Ident identification method, we will carry out an identity verification by means of a qualified electronic signature (QES) and a small-value money transfer (reference transfer). To do this, we first collect your name, place of birth, date of birth, nationality, address, email address and mobile phone number as part of the identification process. You then initiate a reference transfer using the payment initiation service (section 2). In addition to the transaction data, we collect the account holder’s name and IBAN. If we are not able to collect the account holder name via the payment initiation service, we will collect the account holder name via the account information service (section 3).

Afterwards Verimi transfers the collected personal data (name, address, date of birth, place of birth, IBAN and account holder name) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany. The legal basis for these transfers is Art. 6 Para. 1 lit. f) GDPR. Transfers on the basis of Art. 6 (1) (f) GDPR may only take place if this is necessary to safeguard the legitimate interests of Verimi or third parties and if the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not take precedence. Verimi’s legitimate interest in this case is the verification of the collected data for identification purposes. Verimi can recognise whether a person is stored in the SCHUFA database under the given data on the basis of the match rates transmitted by SCHUFA and, if applicable, on the basis of a reference to an ID-based legitimation check carried out in the past at SCHUFA or another business partner. The SCHUFA processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland as well as, if applicable, other third countries (insofar as an adequacy decision by the European Commission exists in respect of these) with information, inter alia, for assessing the creditworthiness of natural persons. Further information on the activities of SCHUFA can be found in the SCHUFA information sheet pursuant to Art. 14 of the GDPR or online at https://www.schufa.de/en/data-privacy/.

The QES is created on the basis of the data processing carried out so far. For this purpose, we transfer your name, your mobile phone number and the document to be signed to the qualified trust service provider Swisscom IT Services Finance S.E.. By entering an SMS code sent to you, you approve the QES.

The legal basis for the processing of your data for Verimi Bank-Ident is the fulfilment of legal identification obligations (Art. 6 para. 1 lit.c) GDPR).

5. Fulfilment of obligations under payment services, money laundering and sanctions law:

We are legally obliged to process your data during and after the use of Verimi Pay, Verimi Bank-Ident, the payment initiation service and the account information service for the fulfilment of payment service, money laundering and sanctions obligations. This includes the identification of your person, the verification of your data as well as the comparison of your first and last name with current terrorism and sanctions lists. The legal basis for this processing is Art. 6 Para. 1 lit. c) GDPR to comply with our legal obligations. This also includes the legally required storage of your data for five years from the end of the business relationship. In addition, retention periods under tax and commercial law of a maximum of ten years in total may follow.