Privacy Policy

The protection of your personal data is a declared goal of Verimi GmbH (Verimi). Data protection is of particular importance to Verimi and is carried out in accordance with the relevant legal provisions. With this statement we would like to inform you about the processing of your personal data at Verimi. Personal data is any information relating to an identified or identifiable natural person. Processing in this sense includes as a generic term any form of handling of data.

Responsible body

Responsible for data processing within the meaning of the data protection law is the:

Verimi GmbH

Oranienstraße 91

10969 Berlin

E-mail: service@verimi.com

Telephone: 0800-8374644 (free of charge from the German fixed and mobile networks)

Authorised representative managing directors: Roland Adrian, Dr. Dirk Woywod

Data protection officer

If you have any questions regarding data protection, please contact our data protection officer:

Christian Aretz

E-mail: datenschutzbeauftragter@verimi.com

Personal data

Personal data is any information relating to an identified or identifiable natural person. In order to create a Verimi-Account with us, you must provide the following information during registration: First and last name, title, e-mail address and a password. Unfortunately, you will not be able to use Verimi if you do not enter these mandatory details. In your Verimi-Account, you can also enter other data, such as your maiden name, date and place of birth, title, addresses, telephone numbers, bank details, payment and tax information, identification documents, body measurements, financial information, travel preferences, information from customer loyalty programs, or an overview of the equipment you use.

Purposes and legal basis of our data processing

In order to create a Verimi-Account with us and use the various services provided by Verimi, you must register with Verimi and sign a user agreement with Verimi (see our terms of use).

The legal basis for the processing of your data by Verimi is article 6 paragraph 1 sentence 1 letter b GDPR, as the processing is necessary for the fulfilment of the user agreement between you and us.

We also process data in order to send you e-mails on the basis of your consent to the sending of newsletters.

The legal basis for the processing of this data is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

Verimi may still be subject to legal processing obligations. This is particularly the case if Verimi is subject to a legal obligation to identify or retain data.

If you use the digital signature, we are obliged to carry out an identification procedure. In doing so, we process your e-mail address, mobile phone number, name, address, date of birth and identification data and must retain these afterwards. Furthermore, we are subject to processing obligations when using the payment function. You can find more information on this in the “Supplementary privacy policy for the use of Verimi Pay and for access to online bank accounts”.

The legal basis of the processing is then Art. 6 para. 1 sentence 1 lit. c GDPR.

Should you decide to store verified data, which have been collected by a third party through an identification process, in your Verimi-Account for future use, it is possible that data which we do not process on the basis of a legal obligation will be processed together with data which are subject to legal processing obligations to the same extent. This applies in particular to personal data that is technically inseparable from the legally stored document files.

The legal basis for the processing of this data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the user-friendly provision of our services and in enabling the storage of the above-mentioned verified data for the purpose of repeated usability.

Finally, we process data in your and our interests in order to guarantee the integrity, confidentiality and availability of the data processing systems, i.e. in particular the security and availability of your data at Verimi.

The legal basis for the processing of this data is Art. 6 para. 1 sentence 1 letter f GDPR. Our legitimate interest lies in the maintenance and safe provision of our services.

We use cookies on our website. You will find more detailed information on this in the overview of cookies as a PDF file for download (see below). You can at any time change your settings in section “cookie preferences”, at the bottom of the page.

Essential Cookies

Essential cookies enable basic functions and are necessary for the proper functioning of our website.

The legal basis for the processing of this data is Art. 6 (1) (f) GDPR. Our legitimate interest is the operation of our website.

Provider Host Name Purpose Storage time Third party access (yes/no)

WordPress

.wordpress.com

wordpress_test_cookie

Cookie is placed to every visitor by WordPress to check if the browser accepts cookies (session cookie).

session

yes

Borlabs

.verimi.de

borlabs-cookie

saves the cookie settings of a visitor

1 year

no

Social Media Cookies

We integrate functions of social networks on our website.

The legal basis for the processing of this data is your consent pursuant to Art. 6 (1) (a) GDPR and your consent pursuant to Art. 49 (1) (a) GDPR.

In this context, you also consent to the processing of your data for transmission to third countries. There is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that the enforceability of your data subject rights cannot be guaranteed.

Provider Host Name Purpose Storage Time Third party access (yes/no)

Youtube

.google.com

NID

The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

6 months

yes

Twitter

.twimg.com

_widgetsettings

Collects data of user behaviour and interaction in order to optimize the website accordingly and display more relevant content to the user

until consent revoked

yes

Twitter

.twitter.com

local_storage_support_test

The cookie is being used as part of the local storage. The cookie enables faster loading of content already visited by the user.

until consent revoked

yes

Receiver of data

You have the possibility to transfer all or part of the data stored in your Verimi-Account to our Verimi partners for specific purposes. Verimi will only transfer your data on your behalf at your request and with your express consent. Once your data has been transmitted to a Verimi partner, the processing of your data is the responsibility of the partner. The Verimi partner is then the responsible person in the sense of Art. 4 No. 7 GDPR.

In order to be able to offer you all functions at Verimi, we also use selected service providers who process data on our behalf. We only pass on data to service providers carefully selected by us and commissioned in writing within the scope of legally permissible order processing. These service providers receive only those data that are necessary for the fulfilment of the order and process them exclusively on our instructions. These include the following categories of contract processors: Identification service providers, software developers, server hosters, technical service providers, newsletter senders, customer support, web analysis service.

In principle no data transfer outside the EU

Verimi processes your data on servers located within the European Union. This also applies to service providers commissioned by us for data processing. In rare individual cases, your data may be transferred outside the European Union. In these cases Verimi ensures that the level of protection required by the GDPR is maintained, e.g. by means of adequacy decisions or other appropriate guarantees.

Duration of data storage

We store your data for the duration of your Verimi-Account. As long as your Verimi-Account exists, the contract of use between you and Verimi is also valid. However, you can delete your Verimi-Account at any time and thus terminate the contract between you and Verimi. We will then delete your data, unless we are legally obliged to continue storing or keeping it. This may result, for example, from legal requirements for the use of the Verimi Pay function “Verimi Pay”, see the “Supplementary privacy policy when using Verimi Pay and for accessing online bank accounts”. Furthermore, we are legally obliged to keep your identification data for 10 years if you have used our signature function. Insofar as the data is still required for the processing of outstanding transactions, it will be deleted at the earliest after these transactions have been completed.

No automated decision making and profiling

The processing of your personal data by us is not related to automated decision making or profiling (unless explicitly stated otherwise).

Data security

All data stored by us or by any order processors are protected against unauthorised access, loss and modification by applying current security standards. For this purpose, extensive technical and organisational security measures are applied with a standard that at least corresponds to the legal requirements. You can find more details in the Security Whitepaper.

Your rights

You have the following rights in relation to the data concerning you:

Right of objection and withdrawal

You have the right to revoke any consent given to us at any time. We will then no longer continue the processing based on this consent for the future. The legality of the processing carried out on the basis of the consent until revocation is not affected by the revocation. Should the data processing by us be based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for the purposes of direct marketing at any time, even without giving reasons. To exercise your right of withdrawal or objection, please send us an informal message.

Right of appeal

If you believe that the processing of your personal data by us is unlawful or that we are in breach of data protection law for other reasons, you can complain to the supervisory authority responsible for us:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219

10969 Berlin

Phone: +49 30 13889-0

Fax: +49 30 2155050

E-mail: mailbox@datenschutz-berlin.de

If you have any questions about our privacy policy or about data protection at Verimi, please do not hesitate to contact us.

Supplementary privacy policy when using Verimi Pay, Bank-Ident and for accessing online bank accounts

As far as you decide to use Verimi Pay, the identification method “Bank-Ident”, the payment initiation or account information service or the conclusion of the user contract aims at the use of Verimi Pay, the payment initiation or account information service, the information presented under this section shall apply in addition to the other data protection notices:

1. Verimi Pay:

Performance of the payment function

Processing purposes and legal basis

In order to use Verimi Pay, you give us a direct debit mandate for your account to collect payments. For this purpose, we need information about your bank account and your verified identity data (title, first name and surname, maiden name, pseudonym, date of birth, place of birth, nationality, residential address, type of identification document, date of issue, issuing authority, document number and expiry date). We also check whether you are a politically exposed person or are sanctioned. If this information is not already in your Verimi-Account, we will ask you to provide it.

When you use Verimi Pay, we process your personalized security features required to authorize the transaction. In addition, we collect and store the payment and transaction data for the transactions you initiate. We communicate these data to the credit institution we have entrusted with the management of the escrow account for payments.

The legal basis for the processing of this data is Art. 6 para. 1 sentence 1 b) GDPR, as the processing is necessary for the use of Verimi Pay within the framework of the contract of use existing between you and us.

Credit assessment

In order for you to be able to use Verimi Pay, we carry out a credit check. For this purpose, we transmit your personal data (first name and surname, title, gender, date and place of birth, nationality, residential address) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and in return we receive personal data from SCHUFA regarding your creditworthiness (Score Points and Score Group). Should it come to the titling of a claim in case of breach of contract on your part, we will report your personal data on the respective transaction (title, first and last name, residential address, amount, date, bank account) to SCHUFA. The legal basis for these transmissions are Art. 6 para. 1 S.1 lit. b) and lit. f) GDPR. Transmissions on the basis of Art. 6 Paragraph 1 S.1 lit. f) GDPR may only be carried out if this is necessary to protect the legitimate interests of Verimi GmbH or third parties and does not outweigh the interests or fundamental rights and freedoms of the person concerned, which require the protection of personal data.

The SCHUFA processes the data received and also uses it for the purpose of profile formation (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland as well as, if applicable, other third countries (provided that a decision on appropriateness has been made by the European Commission) with information, among other things, to assess the creditworthiness of natural persons. More detailed information on SCHUFA activities can be found in the SCHUFA information sheet pursuant to Art. 14 GDPR or online at www.schufa.de/data-privacy.

The admission to Verimi Pay by means of credit assessment and the granting of higher usage limits are automated decisions in individual cases according to Art. 22 GDPR. The automatic decision making is necessary in order to fulfil our contractual obligations towards you. If the forecast value obtained for your credit rating is below a predefined limit, Verimi Pay cannot be used by you or only with limited usage limits, without a non-automated decision being necessary. You have the right to contact us and state your point of view and to suggest a change of decision. For this purpose, please contact the above-mentioned contact address.

Verification of the bank account

In order to be able to use Verimi Pay you have to deposit an online bank account in your Verimi-Account, from which the payments can be debited. However, the bank account can only be successfully deposited if you successfully log in to your bank account using the account information service (section 3). Furthermore, we match the account holder name collected from the bank account with the name from your Verimi-Account. This is to prevent fraud and, if you have not yet provided us with another verified identity, to comply with identification obligations under money laundering legislation.

The legal basis for this processing is our legitimate interest in preventing data misuse. The legal basis for this processing is our legitimate interest in preventing data misuse, criminal offences and payment defaults to our detriment, Art. 6 para. 1 sentence 1 lit. f) GDPR, § 59 para. 1 ZAG as well as the fulfilment of legal processing obligations, Art. 6 para. 1 sentence 1 lit. c) GDPR.

2. Payment initiation service:

If you use Verimi’s payment initiation service (online bank transfer function), we process the transaction data (IBAN, BIC, beneficiary, beneficiary account, purpose of transfer, amount and confirmation of the transaction). The transaction data can also be transmitted to the beneficiary. We also collect the data you use to login to your bank account and to initiate the payment (using a second factor, e.g. TAN), but this data is only transmitted to your bank and is not stored by Verimi. The processing purpose for this payment initiation service is the fulfilment of the user contract with you, art. 6 para. 1 p. 1 b) GDPR.

3. Account Information Service:

If you use Verimi’s account information service (e.g. for account verification), we will process the account information according to your order. We will obtain your consent before collecting information and data from your account. In this consent you will be specifically informed about the data to be processed and the purposes of processing. For example, after your consent, we collect IBAN and your name in order to be able to assign the account details given to you. Furthermore, we collect the data (including any necessary second factor, e.g. TAN) that you use to log in to your bank account. However, this data is only forwarded to your bank and is not stored by Verimi. The legal basis for the processing of your data for the account information service is the fulfilment of the user contract with you, Art. 6 para. 1 p. 1 b) GDPR.

4. Bank-Ident:

If you choose the Bank-Ident identification method, we will carry out an identity verification by means of a qualified electronic signature (QES) and a small-value money transfer (reference transfer). To do this, we first collect your name, place of birth, date of birth, nationality, address, email address and mobile phone number as part of the identification process. You then initiate a reference transfer using the payment initiation service (section 2). In addition to the transaction data, we collect the account holder’s name and IBAN. If we are not able to collect the account holder name via the payment initiation service, we will collect the account holder name via the account information service (section 3).

Afterwards Verimi transfers the collected personal data (name, address, date of birth, place of birth, IBAN and account holder name) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany. The legal basis for these transfers is Art. 6 Para. 1 lit. f) GDPR. Transfers on the basis of Art. 6 (1) (f) GDPR may only take place if this is necessary to safeguard the legitimate interests of Verimi or third parties and if the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not take precedence. Verimi’s legitimate interest in this case is the verification of the collected data for identification purposes. Verimi can recognise whether a person is stored in the SCHUFA database under the given data on the basis of the match rates transmitted by SCHUFA and, if applicable, on the basis of a reference to an ID-based legitimation check carried out in the past at SCHUFA or another business partner. The SCHUFA processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland as well as, if applicable, other third countries (insofar as an adequacy decision by the European Commission exists in respect of these) with information, inter alia, for assessing the creditworthiness of natural persons. Further information on the activities of SCHUFA can be found in the SCHUFA information sheet pursuant to Art. 14 of the GDPR or online at www.schufa.de/datenschutz.

The QES is created on the basis of the data processing carried out so far. For this purpose, we transfer your name, your mobile phone number and the document to be signed to the qualified trust service provider Swisscom AG. By entering an SMS code sent to you, you approve the QES.

The legal basis for the processing of your data for Bank-Ident is the fulfilment of the user contract with you, Art. 6 para. 1 p. 1 lit. b) GDPR as well as the fulfilment of legal identification obligations, Art. 6 para. 1 p. 1 lit. c) GDPR.

5. Fulfilment of obligations under payment services, money laundering and sanctions law:

We are legally obliged to process your data during and after the use of Verimi Pay, Bank-Ident, the payment initiation service and the account information service for the fulfilment of payment service, money laundering and sanctions obligations. This includes the identification of your person, the verification of your data as well as the comparison of your first and last name with current terrorism and sanctions lists. The legal basis for this processing is Art. 6 Para. 1 S. 1 lit. c) GDPR to comply with our legal obligations. This also includes the legally required storage of your data for five years from the end of the business relationship. In addition, retention periods under tax and commercial law of a maximum of ten years in total may follow.