Data Protection Policy of WebID for websites and mobile apps
The following data protection declaration is to inform you of the processing of your personal data (hereinafter “Data”), which WebID Solutions GmbH (hereinafter “WebID”) processes relating to your use of this website, of the mobile apps (hereinafter together “Website”) and of WebID services. Such information is required in accordance with Articles 12, 13 and 21 of the European General Data Protection Regulation (GDPR). In addition, you will be informed of the scope of your consent to the processing of your Data and of the possibility to withdraw the consent you have given to WebID, both in accordance with section 3.3.3 of this data protection declaration.
Your data are processed in compliance with the relevant regulations on data protection, including without limitation the regulations contained in the GDPR and in the Federal Data Protection Act.
The controller, as stipulated in the GDPR, is:
WebID Solutions GmbH, Friedrichstr. 88, 10117 Berlin, Germany
2. Data protection officer
In case of any questions, please contact our external data protection officer as follows:
Data protection officer: Silvia C. Bauer
WebID Solutions GmbH, Data Protection Officer
Friedrichstr, 88, 10117 Berlin, Germany
3. Purposes and legal bases of data processing
3.1 Processing of Data when using the app
When you download our mobile app, the required information for such download will be transferred to the app store. Such information includes without limitation your e-mail address and the customer number of your account, date and time of download; payment information, if applicable, and the individual device code number. We have no influence on this data collection and are not responsible for it. We only process the Data to the extent required for the download of the mobile app to your mobile device and in this context, to the extent required for the use of the app, on the basis of Article 6, para. 1, lit. b of the GDPR.
3.2 Active use of the Website
In addition to the use of our Website purely for information purposes, you may also use our Website actively to make use of our WebID products, such as secure online identification or digital contract signature, to create a permanent user profile, to subscribe to our newsletter or to contact us. In addition to the dissemination of your personal data that incurs if you use our Website purely for information purposes, we then process additional personal data which we require in order to provide the relevant services and/or to answer your questions.
3.3.1 Verification and confirmation of identity or age – video legitimisation
Your Data in relation to the verification and confirmation of your identity, a documented declaration or your age are processed by WebID on behalf of WebID’s relevant partner company, e.g. a bank, a telecommunication company or an insurance company upon whose request we make such verification (“Partner”).
Your Data is processed exclusively for the purpose of verifying and confirming to the relevant Partner your identity, your declaration or your age.
For such purpose, we process the Data you provide in relation to your use of the WebID services for our Partner and the Data provided by our relevant Partner for the purpose of comparing it to the Data you provided, if applicable. A prerequisite for the processing of your Data is the set-up of a user profile (cf. section 3.3.3) where your Data is recorded and which provides us with the opportunity to contact you via e-mail and text message for video identification purposes, to transfer to you, amongst others, the transaction number (TAN) for the successful completion of the video identification process.
The scope of the processing activities related to this Data and the legal basis for such processing is to be based on the planned or existing contractual relationship between you and the Partner and on the legal requirements that may require a confirmation of identity or age. Depending on the legal basis for a confirmation of identity or age, the presentation of a valid identification document (e.g. ID card, passport) may be required in addition thereto. As a general rule, the following Data will be processed:
- surname, forename
- place of birth
- date of birth
- full address
- mobile phone number
- e-mail address
- user name for the video conference programme used
- photo / screenshot of the person and of the front and reverse side of the official identification document
- identification data contained in the official identification document (e.g. type of official identification document, date and place of issue, issuing authority)
- video and sound recordings of the video call.
To the extent we have established and verified your identity, we transfer the collected Data to the Partner. Should the verification of your identity be transferred via one of our distribution partners or one of the Partner’s distribution partners upon your request, the distribution partner shall only receive the information that the identity verification process has been completed successfully. The Partner processes the transferred Data in order to fulfil such Partner’s identification obligations as requested by laws and regulations on the prevention of money laundering and otherwise, and on its rights and obligations resulting from the contract concluded between such Partner and you.
We process your personal Data on the following legal bases:
- in relation to the business relationship with the relevant Partner in accordance with Article 28 of the GDPR
- in order to fulfil a contract
- in order to fulfil a legal obligation that we are subject to.
3.3.2 Digital contract signing
You may use our services to sign digital contracts with our Partners. After the video identification as described above or a similar legitimisation and after inspection of the relevant contract, you may digitally sign your contract partner’s contract via a digital certificate.
In doing so, we process the Data stipulated in section 3.3.1 for the purposes of your identification and digital contract signing. Your Data is being processed for contractual purposes, pursuant to Article 6, para. 1, lit. b of the GDPR, and in accordance with statutory regulations such as the eIDAS Regulation which must be complied with in the individual case for digital contract signing.
3.3.3 Processing for the purpose of the user profile “My WebID”
Our services for you also include the creation of a user profile.
In relation therewith, we process the Data collected regarding the video identification and the digital contract signing (cf. sections 3.3.1 and 3.3.2) and the transaction key linked to your user profile.
We use such Data for the purpose of enabling you to provide confirmation of your identity or age in future to our current and future Partners or of enabling you to digitally sign contracts.
The set-up of your user profile and the processing of the above-stated Data for WebID’s own purposes shall be subject to your declaration of consent in accordance with Article 6, para. 1. lit. b of the GDPR and the following declaration of consent, Article 6 para. 1 lit. a of the GDPR.
“I hereby declare my consent to the storage of my personal data by WebID Solutions GmbH in my user profile and to the processing of my data for future identification processes and/or digital signatures.”
You may revoke your consent during the video call, i.e. even before completion of the identification process, by making an oral declaration to WebID and/or thereafter at any time with future effect via e-mail at firstname.lastname@example.org. WebID will send you a confirmation of your revocation via e-mail.
To be able to process and answer your enquiries to us, e.g. via the contact form or to our e-mail address, we process your Data you have disclosed to us for such purpose. This includes your name, your age and your e-mail address, which we need to send you an answer, and other information you send together with your communication.
We process your Data in order to answer your request on the following legal basis:
- To the extent you contact us in relation to a contract to which you are a party and/or for the execution of pre-contractual measures, the legal basis is Article 6, para. 1, lit. b of the GDPR.
- To protect our legitimate interests in accordance with Article 6, para. 1, lit. f of the GDPR; our legitimate interest is expertly answering customer enquiries.
3.3.5 Newsletters, surveys, etc.
With your consent, we use your Data for marketing purposes, e.g. for the distribution of our newsletter, telephone calls or marketing surveys. We only collect the Data required for the relevant purpose, e.g. your e-mail address.
For these purposes, we process your Data on the following legal basis:
- To the extent you have given your consent, in accordance with Article 6, para. 1, lit. a of the GDPR.
4. Recipient categories
Within WebID, only those persons who require them have access to the Data in order to fulfil our contractual and legal obligations.
Within the framework of our activities as the processor, we transfer the collected Data to the Partner with which you are in contact. Should the verification of your identity be transferred via one of our distribution partners or one of the Partner’s distribution partners upon your request, the distribution partner shall only receive the information that the verification has been successful. The Partner processes the Data in order to fulfil such Partner’s identification obligations based on laws on the prevention of money laundering and otherwise, and on its rights and obligations resulting from the contract concluded between such Partner and you or with regard to the digital signature, in particular in order to document the conclusion of the contract.
In addition, we disclose your personal data to other recipients that render services to us regarding our Website or our services, such as IT service providers, to the extent such disclosure is legally permissible or required. We limit the disclosure of your personal data to the extent required, in particular in order to be able to render our services. Some of our service providers receive your personal data as processors and are then strictly bound by our instructions regarding the handling of your personal data. Some recipients process your Data independently after we transfer them.
5. Transfer to third countries
We do not transfer your personal data into countries outside the EU and/or outside the EEA and/or to international organisations.
Some pages of our Website contain links to third-party websites, including without limitation YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, in order to show YouTube videos. In order to increase protection of your Data while visiting our Website, YouTube is included in our website to a limited extent only, by using a HTML link. This is to guarantee that at the time you access our website, no connection to YouTube’s servers is established and your Data are not yet transferred to YouTube. Only if you activate the video and thus give your consent to the Data transfer does your browser establish a direct connection to YouTube’s servers and you are able to watch our video. Functionally, this means YouTube is included in our Website via a hyperlink, so neither we nor YouTube collect your Data via our Website.
All third-party providers’ websites are subject to their own data protection regulations. We are not liable for the operation of such third-party websites or for their data management. If you send information to or through such third-party websites, you should carefully read their data protection declarations before sending any information that might be allocated to you personally.
7. Periods for which your data is stored
During the video identification or a comparable identification process and the digital contract signing process, we process your Data on behalf of our clients (companies initiating the process). Therefore, the period for which your Data is stored is subject to the contractual agreements you have entered into with the client and/or to the storage periods applicable to that company. For the purposes of the Act on the Prevention of Money Laundering, our client may be obliged to store such Data for a period of up to 5 years, or in accordance with the trade and tax law requirements for a period of up to 10 years.
The provision of services related to the qualified electronic signature is also subject to the obligation to store your Data in accordance with the regulations contained in the eIDAS Regulation and the related national legal requirements in the long term in order to enable the initiating company to provide proof – with legal certainty – for the services provided in this connection. In Austria, data must be stored, for example, for up to 35 years.
To the extent you have given your consent to the processing of your Data, we store the data until you revoke your consent; in these cases too, we might have to archive your Data for legal or statutory requirements. In such cases, your Data is made inaccessible for use for any other purposes and is kept only for the fulfilment of our legal or statutory obligations.
If you send an enquiry to us while using our Website, we otherwise store your personal data for the period needed to answer your enquiry and/or for the period of our business relationship, including the initiation of a contract (pre-contractual relationship) and the execution of a contract.
In addition, based on our legal relationship, we then store your personal Data until expiry of the identification period applicable to be able to provide it as evidence for any legal claims, if required. Generally, the limitation period is between 12 and 36 months, but may be up to 30 years.
Upon expiry of the limitation period, we irrevocably erase your personal Data unless we are subject to a legal retention period, e.g. based on the German Commercial Code (section 238, section 257, para. 4) or on the Fiscal Code (section 147, paras. 3 and 4). Such retention periods may be between 2 and 10 years.
8. Your rights as the data subject
In accordance with statutory requirements, you, as the data subject, have the following rights, which you are entitled to assert against us:
Right to access information: In accordance with Article 15 of the GDPR, you are entitled, at any time, to demand a confirmation of whether or not we are processing your personal data. If we are processing your personal data, you are entitled, in accordance with Article 15 of the GDPR, to receive information on such personal data and certain other information (e.g. purpose of processing, categories of personal data, categories of recipients, planned storage periods, your rights, data origins, the use of automated decision-making processes and, in case of a transfer to a third country, the suitable safeguards) and a copy of your Data.
Right to rectification: In accordance with Article 16 of the GDPR, you are entitled to demand that we rectify the personal data stored about you if they are inaccurate or erroneous.
Right to erasure: In accordance with the prerequisites of Article 17 of the GDPR, you are entitled to demand that we immediately erase your personal data. The right to erasure does not apply if the processing of your personal data is required for (i) the execution of the right to freely express one’s opinion and the right to information; (ii) in order to fulfil a legal obligation we are subject to (e.g. statutory retention periods) or (iii) in order to assert, execute or defend legal claims.
Right to restrict data processing: In accordance with Article 18, you are entitled to demand that we immediately restrict the processing of your personal data.
Right to portability: In accordance with Article 20 of the GDPR, you are entitled to demand that we transfer to you your personal data you have provided, in a structured, standard and machine-readable format.
Right to object: In accordance with Article 21 of the GDPR, you are entitled to object to the processing of your personal data, in which case we are obliged to refrain from processing your personal data. The right to object shall be limited to the scope described in Article 21 of the GDPR. In addition, the processing of your personal data might be in our legitimate interest, therefore we would be entitled to process your personal data despite your objection.
Right to lodge complaints with regulatory authorities: In accordance with Article 77 of the GDPR, you are entitled to lodge a complaint with a regulatory authority, in particular in the member state of your place of residence, your workplace or of the place where the presumed violation occurred, if you are of the opinion that the processing of your personal data is a violation of the GDPR. The right to object shall be without prejudice to other administrative or judicial remedies.
The regulatory authority regulating for our company and services is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit,
Friedrichstr. 219, 10969 Berlin, Germany
Telephone (exchange) +49 30 13889-0
Fax: +49 30 2155050
Revocation of consent: If you revoke your consent to the collection, processing and use of your Data with future effect in whole or in part, e.g. in accordance with section 3.3.3 of this data protection declaration, we will erase your Data without delay, to the extent you requested, or restrict access thereto, unless otherwise required based on statutory retention periods.
9. Obligation to provide Data
As a general rule, you are not obliged to disclose your personal data to us. However, if you refuse to provide your personal data, you may not be able to use our Website, we will not be able to answer your enquiries or to render our services. Personal data that is mandatory for the above-stated purposes is marked by an “*” or another symbol.
10. Automated decision-making / profiling
We do not use automated decision-making or profiling (automated analysis of your personal circumstances). We will inform you should we use such processes in any individual case.
When collecting or transmitting your Data, we use an up-to-date SSL encryption (SSL = Secure Sockets Layer). This SSL encryption guarantees the confidentiality of communications. Such security feature is active if the symbol of an unbroken key or of a closed lock (depending on your browser) is shown in the lower area of your browser window.
Right to object
For reasons resulting from your specific situation, you are entitled to object to the processing of your personal data by us based on Article 6, para. 1, lit. e (processing is necessary for the performance of a task carried out in the public interest) or Article 6, para. 1, lit. f GDPR (processing is necessary for the purposes of the controllers’ legitimate interests). The same shall apply, mutatis mutandis, to profiling based on these provisions. We shall no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for such processing, which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where your personal data is being processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes. If you object to the processing of your personal data for direct marketing purposes, your personal data shall not be used for such purposes anymore.
Please direct any objections to the address stipulated in section 1.
We reserve the right to adjust this data protection declaration at any time. Any changes will be announced by publishing the changed data protection declaration on our Website. Unless otherwise stipulated, such changes shall take immediate effect. Please read this data protection declaration regularly to ensure that you have read the latest version.
Last amended in May 2019.