The protection of your personal data is the declared aim of Verimi GmbH (hereinafter referred to as Verimi). Data protection has a particularly high priority for Verimi and is carried out in accordance with the relevant legal provisions. With this statement we would like to inform you about the processing of your personal data at Verimi in order to fulfil our information obligations according to Art. 12 et seq. of the General Data Protection Regulation (GDPR).
1. Responsible body
Responsible for data processing within the meaning of data protection law is:
Telephone: 0800-8374644 (free of charge from German landlines and mobile phones)
Managing directors authorised to represent the company: Roland Adrian, Dr. Dirk Woywod
Data Protection Officer
If you have any questions regarding data protection, please contact our data protection officer:
TechGDPR DPC GmbH
2. Personal data
3. Data processing on our website
3.1 Temporary usage data (log files): Whenever you use our website, our platform or our apps, we process connection data that is automatically transmitted to enable you to visit the website or use the app. This connection data includes meta and communication data, website accesses, and other data generated via a website or when using an app such as IP address, IP location, type and version of the terminal device used, information on the mobile network used, time zone settings, operating system and platform.
The data processing of this connection data is absolutely necessary to enable the visit of the website, the platform or the use of the app, to ensure the permanent integrity, confidentiality and availability of our systems, for general administrative maintenance of our systems and for support, billing and fraud prevention purposes. The connection data is temporarily stored in internal log files for the purposes described above and the content is limited to what is necessary.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f of the GDPR due to our legitimate interest in enabling website access and app use, in the permanent integrity, confidentiality and availability of our systems, in the administration of our systems and in support, billing and fraud prevention.
The log files are generally stored for four weeks and then anonymised. Exceptionally, individual log files and IP addresses are kept longer in order to prevent further attacks from this IP address in the event of cyber attacks and/or to take action against the attackers by way of criminal prosecution.
3.2 Contact: You have various options for contacting us, such as by e-mail, telephone or via the contact form on our website. In this context, we process the data you provide when contacting us (e.g. e-mail address, mobile phone number, address) exclusively for the purpose of communicating with you.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in answering enquiries to us.
The data we collect when you contact us will be automatically deleted after we have fully processed your enquiry, unless we still need your enquiry to fulfil contractual or legal obligations (see section 12 “Duration of data storage”).
3.3 Registration: You have the option of registering with an account for our login area in order to use our services. We have highlighted the data that you are required to enter by marking them as mandatory fields. Registration is not possible without this data. The following data must be processed as part of the registration:
- First and last name
- E-mail address
In your Verimi account you can also store further data, such as:
- Birth name
- Date of birth
- Telephone numbers
- Customer numbers
- Bank details
- Payment data and tax information
- Identity documents
- Financial information
- Information from customer loyalty programmes
- Overview of devices in use.
The legal basis for processing the data required for registration (mandatory fields) is Art. 6 para. 1 lit. b DSGVO. For all other data, the legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO to enable you to individualise, customise and change your account, or your consent pursuant to Art. 6 para. 1 lit. a DSGVO, insofar as you have given it to us.
4. Data processing when using our services
The legal basis for the processing of your data by Verimi is the fulfilment of the existing contract of use between you and us (Art. 6 para. 1 lit. b GDPR), unless another legal basis is explicitly mentioned below.
For some services of Verimi (e.g. COVID Pass) you can also deposit special categories of personal data according to Art. 9 para. 1 GDPR, in particular health data. The legal basis for the processing of this data is your explicit consent (Art. 6 para. 1 lit. a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR).
We also process your data internally in anonymised form for statistical purposes in order to be able to draw conclusions about user behaviour and performance.
The legal basis for processing this data is our legitimate interest in improving our services and evaluating partner performance (Art. 6 para. 1 lit. f GDPR).
In addition, we conduct satisfaction surveys or ask for your feedback on our services and inform you about our offers, in each case with your prior consent.
The legal basis for the processing of this data is your express consent (Art. 6 para. 1 lit. a GDPR).
When you use the “Identify” service, you have various options for identifying yourself to us. The data processing depends on (1) the chosen identification method (see sections 4.2 to 4.7) and (2) the chosen document.
For identity cards, passports and electronic residence titles, we process as far as available:
- Family name and maiden name
- First name(s)
- Order name, artist name
- Day and place of birth
- Eye colour
- Facial image
- Date of issue
- Validity date
- Document type
- Document number
- Serial number
- Access number (CAN)
- Issuing authority.
If you use your driving licence, we will process it as far as available:
- Family name with title
- First name(s)
- Day and place of birth
- Facial image
- Date of issue
- Expiry date
- Exhibition Authority
- Driving licence number
- Driving licence classes
- Date of issue
- Period of validity of driving licence categories issued for a limited period of time
- Restrictions and additional information (including conditions) in coded form
- Registrations of other Member States after change of residence abroad.
You can also use the “ID” service to simplify identification with partners. If you use services with partners that require certain identifications (e.g. driving licence with a car sharing provider), you can use your verified documents stored in your Verimi account for this purpose. When you connect your Verimi account to such a partner, we share the relevant information and documents with the relevant partner to fulfil the contract.
4.2 Verimi Bank Ident: Should you choose the identification method Verimi Bank-Ident, we will carry out an identity verification by means of qualified electronic signature (QES) and small value transfer (reference transfer). For this purpose, we first collect your name, title, place of birth, date of birth, nationality, address, e-mail address and mobile phone number via your input as part of the identification process. You then initiate a reference transfer by means of a payment initiation service (see also section 4.10.4). For this purpose, we transmit your name and BIC. In addition to the transaction data, we collect the account holder’s name, the IBAN and the BIC by means of the reference transfer that has then taken place. If we are unable to collect the account holder’s name via the payment initiation service, we will collect the account holder’s name via the account information service (see also section 4.10.5).Verimi transfers the collected personal data (name, title, address, date of birth, IBAN and account holder name) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal basis for these transfers is Art. 6 para. 1 lit. f GDPR. Transmissions based on Art. 6 para. 1 lit. f GDPR may only be made if this is necessary to protect the legitimate interests of Verimi or third parties and if the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not take precedence. Verimi’s legitimate interest in this case is the verification of the collected data for identification purposes. Verimi can recognise whether a person is stored in the SCHUFA database under the given data on the basis of the match rates transmitted by SCHUFA and, if applicable, on the basis of a reference to an ID-based legitimation check carried out in the past at SCHUFA or another business partner. The SCHUFA processes the data received and possibly uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland and, if applicable, other third countries (insofar as an adequacy decision by the European Commission exists in respect of these) with information on, among other things, the assessment of the creditworthiness of natural persons. Further information on SCHUFA’s activities can be found in the SCHUFA information pursuant to Art. 14 GDPR.
The QES is created on the basis of the processing carried out so far. For this purpose, we transmit your name, your mobile phone number and the document to be signed to the qualified trust service provider Swisscom IT Services Finance S.E. By entering an SMS code sent to you, you release the QES.
The legal basis for the processing of your data for Verimi Bank-Ident is, in addition to the fulfilment of the existing contract of use between you and us (Art. 6 para. 1 lit. b GDPR), the fulfilment of legal identification obligations, Art. 6 para. 1 lit. c GDPR.
If you choose the eID identification method (online ID card function of the ID card), we will carry out an identity check using the eID function of your ID card, EU citizen card or residence permit. For this purpose, 2-factor authentication (2FA) is activated, see also section 7.2. Identification via eID is only possible via a terminal device using an NFC-enabled smartphone. This procedure is only suitable for documents with the eID function switched on.
If you opt for the Video-Ident identification method, we will carry out an identity check by means of video telephony. For this purpose, 2-factor authentication (2FA) is activated, see also section 7.2. Moreover, identification via video is only possible via an end device with a supported camera and microphone; the corresponding authorisations must be granted for Video-Ident. The Video-Ident procedure can be used for identity cards, passports, electronic residence titles and driving licences.
If you choose the Photo-Ident identification method, we will carry out an identity check using automated algorithms. For identification via Photo-Ident, an end device with a camera and microphone is also required, and the corresponding authorisations must be granted for Photo-Ident. In addition, photo identification via a mobile device requires the receipt of text messages and/or the reading of QR codes. The photo ID procedure can be used for identity cards, passports, electronic residence titles and driving licences.
4.6 Local-Ident: If you choose the Local-Ident identification method (identification at a local partner), we will carry out an identity check using our own application by an employee or that of a local partner company. In addition, Local-Ident requires a terminal device to receive SMS or the use of the Verimi app on the user’s terminal device. Local-Ident can be used for identity cards, passports and electronic residence titles as well as for driving licences.
4.7 Company data: Should you opt for the identification method Company Account, we will carry out an identification of your company. In this process, the person authorised for the company is identified (see sections 4.2 to 4.6) and activated as the holder of the company account. Subsequently, previously identified employees of the company are verified by the authorised person after their consent and also activated for the company account. For this purpose, we process as far as available:
- General company data
- E-mail address and role of staff
The “Authentication” service allows you to log in or authenticate directly with our partners using your Verimi account.
We only process your Verimi authentication means and account information (e.g. username and password, e-mail link, Verimi PIN or biometric methods) that are required for authentication with the partner. Which personal data is required at the partner depends on the respective partner, this can be e.g. e-mail addresses, user names or also IBAN (e.g. for logging in to online banking).
4.9 Sign: You can only use the “Sign” service if you have previously identified yourself, e.g. with an identity document (see section 4.1 et seq.).
Using the identification data set (first name and surname, place of birth, date of birth, nationality and residential address) from the ID document, a personal signature certificate is created and securely stored with the help of our trust service provider. The signature certificate enables you to electronically sign electronic documents. After uploading the document to be signed, you confirm your intention to sign via the stored second factor (e.g. via SMS or the Verimi app). The signed document is made available to you and your contract partner (or only to you within the scope of the self-service).
4.10 Verimi Pay: When you use the Verimi Pay service, we process your personal data as described in this section.
4.10.1 Implementation of the payment function:
In order to use Verimi Pay, you give us a direct debit mandate for your account to collect payments. For this purpose, we require information on your bank details and your title, first and last name, pseudonym, date of birth, e-mail address, home address and any delivery address you may have provided. When using Verimi Pay, we also process your personalised security features required to authorise the transaction. In addition, we collect and store payment and transaction data relating to the transactions you initiate. We communicate this to the credit institution we have commissioned to manage the trust account for payments.
Furthermore, we may transmit your title, name, date of birth, e-mail address and a delivery address to the application partner at your instruction so that the application partner can carry out the transaction (e.g. purchase of goods or services) on which the payment is based. Your bank details, however, will not be transmitted to the application partner.
The legal basis for the processing of this data is Art. 6 para. 1 lit. b GDPR, as the processing is necessary for the use of Verimi Pay within the framework of the existing usage contract between you and us.
In the event of late payment, we also use this data for our receivables management. We store this data until one month after the last final payment on the basis of our legitimate interest in debtor management (Art. 6 para. 1 lit. f GDPR).
4.10.2 Credit check:
If you wish to activate Verimi Pay or request a higher usage limit, we will carry out a credit check. For this purpose we transfer your personal data (first and last name, title, gender, date of birth and residential address) to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and in return we receive personal data from SCHUFA regarding your creditworthiness (score points and score group). If, in the event of a breach of contract on your part, a claim is enforced, we may report your personal data to SCHUFA (title, first and last name, home address, amount, date, bank details). The legal basis for this transfer is Art. 6 Para. 1 lit. b GDPR and § 31 Para. 2 Bundesdatenschutzgesetz (BDSG).
The SCHUFA processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland and, if applicable, other third countries (insofar as there is an adequacy decision on these by the European Commission) with information on, among other things, the assessment of the creditworthiness of natural persons. Further information on SCHUFA’s activities can be found in the SCHUFA information pursuant to Art. 14 GDPR.
The admission to Verimi Pay by means of a credit check and the granting of higher usage limits constitute automated decisions in individual cases in accordance with Art. 22 GDPR. The automated decision-making is necessary in order to fulfil our contractual services to you. If the prognosis value obtained for your creditworthiness is below a predefined limit, Verimi Pay cannot be used by you or can only be used with a limited usage limit, without this being dependent on a non-automated decision. You have the right to contact us to explain your position and to request a change of the decision. For this purpose, please contact us at the above address.
4.10.3 Verification of bank details: In order to be able to use Verimi Pay you have to deposit an online bank account in your Verimi account from which the payments can be debited. The bank account can only be successfully deposited if you successfully log into your bank account using the account information service (section 4.10.5). Furthermore, we match the account holder name collected from the bank account with the name from your Verimi account. This serves the purpose of fraud prevention and, if you have not yet deposited another verified identity, the fulfilment of identification obligations under money laundering law.
The legal basis for this processing is the fulfilment of legal processing obligations for the prevention of data misuse and criminal offences, Art 6 para. 1 lit. c GDPR, in conjunction with § 59 para. 1 Gesetz über die Beaufsichtigung von Zahlungsdiensten (ZAG).
4.10.4 Payment Trigger Service: If you use the payment initiation service (online transfer function) of Verimi, we process the transaction data (IBAN, BIC, recipient, recipient account, transfer purpose, amount as well as confirmation of the transaction). The transaction data may also be transmitted to the recipient of the transfer. Furthermore, we collect the data you use to login to your bank account and to trigger the payment (using a second factor, e.g. TAN), but this data is only forwarded to your credit institution and is not stored at Verimi.
The legal basis for this processing is the fulfilment of the usage contract with you, Art. 6 para. 1 lit. b GDPR.
4.10.5 Account Information Service: If you use Verimi’s account information service (e.g. for the verification of bank details), we process the account data according to your order. Before we collect information and data from your account, we will obtain your consent. This consent will specifically inform you about the data to be processed and the processing purposes. For example, after your consent, we collect IBAN and your name in order to be able to allocate the account details provided to you. Furthermore, we collect the data (including any necessary second factor, e.g. TAN) that you use to log in to your bank account. However, this data will only be forwarded to your bank and will not be stored at Verimi.
The legal basis for processing your data for the account information service is the fulfilment of the usage contract with you, Art. 6 para. 1 lit. b GDPR.
4. 11 COVID Pass: For the use of the COVID Pass service to deposit your test result, vaccination or recovery certificate, the following categories of personal data are collected in addition to the data collected for registration, some of which contain special categories of personal data pursuant to Art. 9 para. 1 GDPR.
Corona vaccination status:
- First name
- Date of birth
- Disease against which vaccination is given (Corona)
- Vaccination number
- Vaccination date
- Country and issuer of the technical certificate
- and the unique identification number for the certificate (UVCI for short);
Corona test results:
- First name
- Date of birth
- Disease (against which is tested)
- Type of test
- Product name
- Test manufacturer
- Date and time of sampling
- Date and time of the test result
- Test result
- Test centre or facility
- Country of testing
- Certificate issuer and certificate recognition;
Corona recovery data:
- First name
- Date of birth
- Illness from which the citizen has recovered
- Date of the first positive test result
- Country of testing
- Certificate issuer
- Validity from/to and certificate recognition
In addition – if you want to link the proof with your identity – we match the data from the identity document you have deposited (first name, surname, date of birth) with the data given in the COVID Pass.
The legal basis for the processing of this data is your express consent (Art. 6 para. 1 lit. a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR).
4.12 Self-Service: As part of the Self Service, we offer you the possibility to view documents and data that you have uploaded to your Verimi account (e.g. ID data, ID documents, driving licence, COVID Pass, IBAN, tax number, etc.).
Furthermore, you can view your past activities (transactions, payments, logins to Verimi) and the devices and sessions used.
You can also sign PDF documents that you have uploaded yourself. The data processing involved corresponds to that described in section 4.3 “Signing”.
All data in your Verimi account (ID wallet) is encrypted and protected from access
The data (such as identity documents, driving licence, bank data such as IBAN, further details such as mobile number, e-mail address, etc.) are encrypted with user-specific keys and stored in a tamper-proof manner together with the Verimi ID generated by Verimi. For this purpose, individual keys are generated for all users.Data outside the ID Wallet (such as connection data, identity attributes and transaction data) is secured against unauthorized access with a Verimi key.
6. Data processing due to legal requirements
In certain constellations, we process personal data because we are legally obliged to do so. In these cases, the processing is carried out exclusively insofar as this is necessary to comply with the corresponding legal obligations, the legal basis of the data processing is Art. 6 para. 1 p. 1 lit. c GDPR, insofar as no other legal basis is expressly stated below.
Should you decide to store verified data collected through an identification process with a third party in your Verimi account for future use, data that we do not process on the basis of a legal obligation may be processed together to the same extent as data that is subject to legal processing obligations. This applies in particular to personal data that is technically inseparable from the document files that must be kept by law.
The legal basis for the processing of this data is our legitimate interest (Art. 6 para. 1 lit. f GDPR). This consists of the user-friendly provision of our services as well as enabling the storage of the above-mentioned verified data for the purpose of repeated usability by you.
Furthermore, Verimi is legally entitled and obliged to process identity documents according to ZAG.
In particular, Verimi is legally obliged to process your personal data in the following cases:
6.1 Money laundering: If you use or wish to use the Verimi Pay or Verimi Bank Ident services, the payment initiation service or the account information service, we are required by law to collect and process your personal data for money laundering prevention purposes. For this purpose, we process transaction and master data (name, place of birth, date of birth, nationality and residential address or, if there is no fixed abode with legal residence in the European Union and the postal address at which the contractual partner as well as the person appearing to the obligated party can be reached, § 11 para. 4 Gesetz über das Aufspüren von Gewinnen aus schweren Straftaten (GwG). We are legally obliged to keep this data for a period of five years, § 8 para. 4 p. 1 GwG.
6.2 eIDAS: If you use the “Sign” service, we work together with so-called qualified trust service providers (see section 4.3). When using these service providers, we are legally obliged to process your personal data in accordance with the eIDAS Regulation of the European Union (Regulation No. 910/2014). This includes the identification of your person, the verification and the archiving of your data. For this purpose, we process your name, place of birth, date of birth, addresses, contact information, nationality, account and ID card data. In addition, we process the electronic documents to be signed by you.
This obligation also includes the legally required retention of the above data for at least 10 years in the case of identification for the creation of a qualified electronic certificate.
6.3 Terror and sanctions lists and politically exposed persons: If you use the services Verimi Pay, Verimi Bank Ident, the payment initiation service or the account information service, we are legally obliged to check your first and last name against current EU terrorism and sanctions lists and to ensure whether you are a “politically exposed person”. We are legally obliged to keep this data for a period of five years, § 8 para. 4 p. 1 GwG.
6.4 Commercial and tax law: Furthermore, we are legally obliged to retain personal data in order to comply with commercial and tax law obligations even after the end of a business relationship. The corresponding retention periods are between six and ten years.
6.5 Disclosure to courts and authorities: Within the scope of the provisions set out in this section 5 or due to other legal regulations (such as those arising from the Strafprozessordnung), we disclose personal data to courts and authorities insofar as we are legally obliged to do so.
7. Use of the Verimi App
In this section we inform you about the processing of personal data when using the Verimi App.
7.1 Use of app tools (scripts, API, SDK): Our app uses programming codes (so-called scripts), programming interfaces (so-called API), software development kits (SDK) and comparable technologies (collectively “tools”), which are offered either by ourselves or by third parties and may be able to access the identification numbers stored in the mobile end device such as the device ID. Currently, only Tools that directly serve the technical provision and security of the App and are absolutely necessary are used. No optional tools are used.
7.2 App permissions: When using the Verimi App and for using the 2-factor authentication (2FA), a smartphone with the minimum required version of the mobile operating system is required. Depending on the choice of service, the following accesses may be required:
- Read memory contents
- Change or delete memory contents
- Read memory contents
- Change or delete memory contents
- Take pictures and record videos
- Record audio
WLAN connection information
- Retrieve WLAN connections
- Retrieve data from the Internet
- Retrieve network connections
- Pair with Bluetooth devices
- Face ID function (iOS only)
- Fingerprint function
- Change network connectivity
- Control light display
- Access to networks
- Change audio settings
- Control near field communication
- Control vibrating alarm
- Deactivate hibernation
- Activate and use push notifications
You can configure the respective permissions as desired, but please note that certain permissions are required to use some services.
8. Cookies on our website
We do not use essential or non-essential cookies on our website. Therefore, no cookie banner or consent is necessary for the use of our homepage.
9. Online presence in social networks
We maintain online presences in social networks in order to communicate there with customers and interested parties, among others, and to provide information about our products and services. The users’ data is usually processed by the social networks concerned for market research and advertising purposes. In this way, usage profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. Based on these usage profiles, advertisements, for example, are then placed within the social networks but also on third-party websites.
As part of the operation of our online presences, it is possible that we may access information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presences (e.g. likes, subscription, sharing, viewing of images and videos) and the posts and content distributed via them. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence and optimize it for our audience. Please see the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics are generally subject to joint responsibility. Where applicable, the relevant agreement is listed below.
The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effective information and communication with users, and Art. 6 para. 1 lit. b GDPR, in order to stay in contact with and inform our customers, as well as to carry out pre-contractual measures with interested parties.
Where you have an account with the social network, it is possible that we may see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This may be, for example, via direct messages or via
posted articles. The content communication via the social network and the processing of the content data is thereby subject to the responsibility of the social network as a messenger and platform service.
For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to the data protection information of the respective social network. The following links will also provide you with further information on the respective data processing and the options to object.
We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. You can also contact us with your request. In this case, we will process your request and forward it to the provider of the social network.
Below is a list of information about the social networks on which we operate online presences:
- YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
- Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
- Operation of the LinkedIn company page in joint responsibility on the basis of an agreement on joint processing of personal data (so-called Page Insights Joint Controller Addendum): https://legal.linkedin.com/pages-joint-controller-addendum
- Information on the processed site insights data and the contact option in the event of data protection enquiries: https://legal.linkedin.com/pages-joint-controller-addendum
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
- Xing (New Work SE, Am Strandkai 1, 20457 Hamburg)
- Kununu (New Work SE, Am Strandkai 1, 20457 Hamburg)
- Facebook / Instagram (USA und Kanada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
- Operation of the facebook/instagram company page in joint responsibility on the basis of an agreement on joint processing of personal data (so-called Page Insights Joint Controller Addendum): https://www.facebook.com/legal/terms/page_controller_addendum
- Information on the processed site insights data and the contact option in the event of data protection enquiries: https://www.facebook.com/legal/terms/information_about_page_insights_data
- Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
10. Recipients of data
You have the option to transfer all, or part of your data stored in your Verimi account to our Verimi partners for certain purposes. Such transfer of your data will only be carried out by Verimi at your request and with your express consent. After the transfer of your data to a Verimi partner, the processing of your data will take place under the responsibility of the Verimi partner. The Verimi partner is then the responsible party according to Art. 4 No. 7 GDPR.
The data we collect will only be passed on if there is a legal basis for this under data protection law in the specific case, in particular if:
- you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR,
- the disclosure is necessary for the assertion, exercise or defense of legal claims pursuant to Art. 6 para. 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed,
- we are legally obliged to disclose data pursuant to Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court decisions and legal proceedings, or
- this is legally permissible and required in accordance with Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.
In order to be able to offer you all functions at Verimi, we also use selected service providers who process data on our behalf. We only pass on data to service providers carefully selected by us and instructed in writing within the framework of legally permissible order processing. These only receive the data that is necessary for the fulfilment of the order and process it exclusively on our instructions. This includes the following categories of commissioned processors: Identification service providers, software developers, hosters of servers, cloud storage and mails, technical service providers, service providers for mail dispatch and newsletter dispatch, ticket system providers, customer support, content management system providers, customer relationship management providers, as well as web analytics service.
11. In principle, no data transfer outside the EU
Verimi processes your data on servers within the European Union. This also applies to service providers commissioned by us for data processing.
In rare individual cases, e.g., when using our support, your data may be transferred to so-called third countries (outside the European Union or the European Economic Area) or personal data may be processed there.
Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.
Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is provided for and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent, you will also be informed of this.
12. Duration of data storage
We store your data for the duration of the existence of your Verimi account. As long as your Verimi account exists, the user contract between you and Verimi also exists. However, you can delete your Verimi account at any time and thereby terminate the contract between you and Verimi. This also applies to services that can be considered separately, such as COVID Pass and driving licence. We will then delete your data unless we are legally obliged to continue to store or retain it or we have a legitimate interest in continuing to store it, for example to defend ourselves against legal claims or to enforce our own legal claims. A storage obligation may arise, for example, from legal requirements for the use of the Verimi payment function “Verimi Pay” or from tax or commercial law regulations. Furthermore, we are legally obliged to store your identification data for 10 years if you have used our signature function. If the data is still required to process outstanding transactions, it will be deleted at the earliest after these transactions have been processed.
13. No automated decision making and profiling
The processing of your personal data by us is not related to automated decision making or profiling (unless explicitly stated otherwise, see e.g., clause 4.4. “Verimi Pay”).
14. Data security
All data stored by us, or any order processors are protected against unauthorised access, loss and modification using current security standards. For this purpose, extensive technical and organisational security precautions are applied with a standard that at least corresponds to the legal requirements.
15. Your rights
You have the following rights with respect to us regarding the data relating to you:
- Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR),
- Right to rectification of inaccurate data or erasure of processed data (Art. 16 and 17 GDPR), unless there are statutory retention periods (see point 12.),
- Right to restriction of processing (Art. 18 GDPR),
- Right to withdraw your consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation. (Art. 7 GDPR),
- Right to data portability (Art. 20 GDPR),
- Right to object within the framework of the legal requirements. Should the data processing by us be based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).
You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.
If you wish to exercise your right of revocation or objection, it is sufficient to send an informal message to the above contact details.
To exercise your rights, please send us an informal message (see 1. Responsible body)
Right of appeal
If you are of the opinion that the processing of personal data concerning you by us is unlawful or that we are violating data protection law for other reasons, you can complain to the supervisory authority responsible for us:
Berlin Commissioner for Data Protection and Freedom of Information
Tel.: +49 30 13889-0
Fax: +49 30 2155050
Version status: August 2023