Data protection declaration for the websites and mobile apps of IDnow GmbH

General information

Information about the Controller

Company: IDnow GmbH

Legal representative: Rupert Spiegelberg, Armin Bauer, Sebastian Bärhold, Martin Anders

Address: Auenstraße 100, 80469 Munich

Contact details of the Data Protection Officer: email@iitr.de (Dr. Sebastian Kraska)

General data processing information

Affected data: Personal data is only collected if you disclose it to us. Beyond that, no personal data is collected. Any processing of your data that exceeds statutory permissible limits shall only be carried out with your express consent.

Purpose of the processing: Execution of the contract.

Categories of recipients: Public authorities provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.

Transfers to third countries: Within the framework of contract fulfilment, data processors outside the European Union can also be used.

Duration of data storage: The duration of data storage is based on the legal obligations to retain data and is usually of 10 years.

IDnow GmbH provides a service of verifying identities on identification documents (especially passports, personal identity cards and driving licences) and comparing these with a person. IDnow offers this service to its customers, e.g. banks, financial institutions, insurance companies, online platforms, car-sharing service providers, car hire service providers and operators of entertainment platforms (“Partners”), in order to comply with legal provisions (e.g. Money Laundering Act, Road Traffic Act), or in order to raise the security concerning the identity of the end user. In this process, IDnow shall act as a processor pursuant to Art. 28 of the GDPR according to the instructions of the customer, or it shall itself be the Controller.

a. Verification process
The end user of the service uses a technical terminal device (e.g. his PC,Tablet or his smartphone), in order to record or take a photo of the identity document and, where necessary, himself via the video-chat or with a photo using the camera. Below is an explanation of the verification process together with the relevant steps and the accompanying data processing. Usually the user is made aware of the verification service by the partner of IDnow. To carry out the verification service, IDnow will normally require end user data, particularly the first and last name, date of birth, place of birth, mobile telephone number, email address and address of the user. This data will either be collected by the partner or submitted by the end user on the website or in IDnow’s App. In the verification process itself, a photo and/or video recording of the identity document will be created, in order to compare the end user data received earlier with the data on the identity document. The data collected by IDnow differs according to the type of identity document and the customer’s specific case. For passports and identity cards, the first and last name, place of birth and date of birth in particular are collected. For verification in accordance with the Money Laundering Act, the issuing authority, number of identity document, the nationality and – in the case of personal identity cards – the address of the user are also collected. For driving licences, the first and last name, date of issue, licence categories and date of birth in particular are collected. Apart from the end user data, IDnow also stores the photo and video recording of the identity documents. In a next step, a photo or video recording of the end user’s face will be taken, depending on the partner’s configuration of the IDnow-Software. The photos will be taken either by the user himself or by an employee of IDnow. For the identification of persons in accordance with the Money Laundering Act, the data will be collected in the course of a video chat. The conversation between the user and the IDnow employee will, in addition, be recorded both in sound and image, if the law so requires. The exact procedure of the verification process is described in detail in the respective terms and conditions of IDnow.

b. Consent, storage and deletion
All data collected by IDnow is used exclusively for purposes of verifying identity documents and/or identifying the user. Before each verification process, the end user will be informed by IDnow or the partner about what data will be collected by IDnow and transmitted to the partner. You will find this information in the currently applicable version of IDnow’s terms and conditions and/or in the terms and conditions and privacy policy of the partner. Any processing of your data that exceeds statutory permissible limits shall only be carried out with the express consent of the user. The data will be transmitted to the partner, and after 90 days at the latest, will be deleted from IDnow servers, provided that the partner did not issue a deletion request before this. This data can be stored by the partner because of the existence of statutory retention periods (e.g. in connection with the Money Laundering Act) during the course of and for up to five years after the end of the business relationship between the partner and the end user.

Specific information about the website.

Use of the newsletter
In the course of registering for our newsletter, you are sharing your email address and, optionally, other data with us. We exclusively use this information to send you the newsletter. The data you entered while subscribing to the newsletter shall remain stored with us until you unsubscribe from our newsletter. You can unsubscribe anytime by clicking the link provided in the newsletter or sending us a message to that effect. Unsubscribing allows you to opt out of the use of your email address.

Use of Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies” – text files that are stored on your computer and that allow an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. If you activate IP anonymisation on this website, Google will, however, truncate your IP address prior to this within European union member states or in other states that are party to the Agreement on the European Economic Area. The full IP address will only be transmitted to a Google server in the USA and truncated there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities, and to provide further services related to website use and Internet use to the website operator. The IP address transmitted by your browser to Google Analytics will not be merged with other Google’s data. You can prevent the storage of cookies by using the corresponding setting in your browser software; however, we would advise that in this case, you may not be able to use all functions of this website in full. You can also prevent the collection of data (including your IP address) generated by the cookie and relating to your use of the website to Google and the processing of this data by Google by downloading and installing the browser plug-in available via the following link (http://tools.google.com/dlpage/gaoptout?hl=de). Due to the debate about the use of analytics tools with complete IP addresses, we want to point out that this website uses Google Analytics with the “_anonymizeIp()” extension and thus, only shortened IP addresses are processed to exclude a direct personal reference. Specifically for browsers on mobile devices, please click this link to prevent, for the future, the anonymised collection of data by Google Analytics on this website for your browser by using a so-called “opt-out cookie”.

Google AdWords Conversion Tracking
This website uses Google AdWords Conversion Tracking, a web analytics service provided by Google Inc. (“Google”). Google AdWords Conversion Tracking also uses “cookies” that are stored on your computer and allow an analysis of your use of the website. The information generated by the cookie about your use of this website is transmitted to a Google server in the USA and stored there. Google will use this information to evaluate your use of the website, to compile reports about website activities for the website operators and to provide further services associated with the use of the website and the Internet. Google will also transfer this information to third parties where applicable insofar as this is legally required or insofar as third parties process this data on behalf of Google. Google will In no event associate your data with other Google data. You can generally prevent the use of cookies if you prohibit the storage of cookies in your browser.

Using own “cookies”
This website uses its own “cookies” to increase user-friendliness (“cookies” are data records that are sent from the web server to the user’s browser and stored there for later retrieval). No personal data is stored in our own “cookies”. You can generally prevent the use of “cookies” if you prohibit the storage of “cookies” in your browser.

Marketo
We use the services of Marketo EMEA Limited to send out our newsletter and other mailshots (call for papers), to manage advertising permissions, and to collect statistical data on the use of our website and optimize the site accordingly.

If you purchase a product or service from us, your email address will be imported into Marketo’s systems so that we can send you information emails for similar goods or services in future. The legal basis for this is Article 6 (1) f) GDPR.

Marketo also uses cookies, which are text files that are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookie on your use of this website is transmitted to one of Marketo’s servers (in an EU/EEA country) and stored there. Marketo uses this information on behalf of the operator of this website to analyze the use of the website by registered persons and to compile reports on the activities of the website. You can prevent cookies being stored by amending your browser settings accordingly. However, we would like to inform you that you may not be able to make full use of this website’s entire range of functions in this case.

Tracking pixel and how you can prevent this: We should like to point out that when sending out the newsletter or other requested information on our behalf, Marketo analyzes your user behavior. To perform this analysis, the emails that are dispatched contain ‘web beacons’ (also known as ‘tracking pixels’). These are single-pixel image files that link to our website, thereby enabling us to perform a session-based analysis of your user behavior. We record when you read our newsletter, which links in the newsletter you click on, and conclude from this what your personal interests are. Marketo stores the information collected in this way on its server in the EU/EEA.

Tracking is not possible if you have disabled the display of images by default in your email program. In this event however, the newsletter will not be displayed to you in full and you may not be able to use all of its functions. If you manually allow the images to be displayed, the above-mentioned tracking will take place.

Marketo’s address and URL with its Privacy Notice:
Marketo EMEA Ltd., Cairn House, South County Business Park, Leopardstown Road, Dublin 18, IRELAND
https://documents.marketo.com/legal/privacy/

Marketo Opt-out

YouTube
Our website uses plugins from YouTube, which is operated by Google. The operator of these pages is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

If you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers is established. The YouTube server is thereby informed about which of our pages you have visited.

If you are logged in to your YouTube account, you will enable YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

Our use of YouTube is done in the interest of providing an attractive display of our online content. This constitutes a legitimate interest in the sense of Art. 6 (1) point f) of the GDPR.

You can find more information on the handling of user data in YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy.

Vimeo
Our website uses plug-ins of the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.
If you visit one of our pages equipped with a Vimeo plug-in, a connection to the Vimeo servers is established. The Vimeo server is thereby informed about which of our pages you have visited. In addition, Vimeo will also obtain your IP address. This also applies even if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo will be transmitted to the Vimeo server in the USA.
If you are logged in to your Vimeo account, you will enable Vimeo to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your Vimeo account.
You can find more information on the handling of user data in Vimeo’s privacy policy at: https://vimeo.com/privacy.

Google Web Fonts
For purposes of standard display of fonts, this website uses the so-called web fonts provided by Google. When you access a website, your browser will load the necessary web fonts in your browser cache, in order to display texts and fonts correctly.

For this purpose, the browser you are using must establish a connection with the Google servers. Through this, Google will be informed that our website has been accessed via your IP address. Our use of Google Web Fonts is done in the interest of providing a standard and attractive display of our online content. This constitutes a legitimate interest in the sense of Art. 6 (1) point f) of the GDPR.

If your browser does not support web fonts, your computer will use a standard font.
You can find more information on Google Web Fonts at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/.

Google Maps
This website uses the map services of Google Maps through an API. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To be able to use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this website has no influence on this data transmission.

The use of Google Maps is in the interest of providing an attractive display of our online content, and the easy retrieval of places indicated by us on the website. This constitutes a legitimate interest in the sense of Art. 6 (1) point f) of the GDPR.

You can find more information about the handling of user data in Google’s privacy policy available at: https://www.google.de/intl/de/policies/privacy/.

Information on further data processing procedures

Specific information on the application procedure
Affected data: Application information
Purpose of the processing: Conduct of the application procedure
Categories of recipients: Public authorities provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.
Transfers to third countries: In terms of the execution of the contract, only data processors within the European Union can be used.
Duration of data storage: Application data is deleted after communication of the decision, normally within four months, provided there is no consent to a longer data storage period.

Specific information on the processing of customer data/data of interested parties

Affected data: Data submitted for purposes of the execution of the contract; where applicable, other data exceeding the stipulated range for processing based on your express consent.
Purpose of the processing: Execution of the contract.
Categories of recipients: Public authorities, provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.
Transfers to third countries: Within the framework of contract fulfilment, data processors outside the European Union can also be used.
Duration of data storage: The duration of data storage is based on the legal obligations to retain data and is usually of 10 years.

Specific information on the processing of employee data

Affected data: Data submitted for purposes of the execution of the contract; where applicable, other data exceeding the stipulated range for processing based on your express consent.
Purpose of the processing: Execution of the contract.
Categories of recipients: Public authorities provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.
Transfers to third countries: Within the framework of contract fulfilment, data processors outside the European Union can also be used.
Duration of data storage: The duration of data storage is based on the legal obligations to retain data and is usually of 10 years.

Specific information on the processing of suppliers’ data

Affected data:Data submitted for purposes of the execution of the contract; where applicable, other data exceeding the stipulated range for processing based on your express consent.
Purpose of the processing: Execution of the contract.
Categories of recipients: Public authorities provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.
Transfers to third countries: Within the framework of contract fulfillment, data processors outside the European Union can also be used.
Duration of data storage: The duration of data storage is based on the legal obligations to retain data and is usually of 10 years.

Specific information on the processing of identification data

Affected data: Data submitted for purposes of the execution of the contract; where applicable, other data exceeding the stipulated range for processing based on your express consent.
Purpose of the processing: Execution of the contract.
Categories of recipients: Public authorities provided there are overriding legal provisions. External service providers or other contractors. Other external authorities provided the data subject has given his consent or unless the transmission of data is permissible due to overriding interest.
Transfers to third countries: In terms of the execution of the contract, only data processors within the European Union can be used.
Duration of data storage: The duration of data storage is based on the legal obligations to retain data and is usually of 10 years.

Further information and contacts
In addition, you can assert your rights any time, with regard to the rectification, erasure and restriction of processing of your data, or the exercise of your right of objection to processing as well as the right to data portability. You can contact us by email or by post through the contact details available under the following link: https://www.idnow.io/impressum/. Furthermore, you have the right to contact the data protection supervisory authority, in case of any complaints.