www.giropay.de Privacy policy

The following provisions on data protection apply exclusively to services that giropay GmbH offers on its website www.giropay.de  and for which personal data is collected. In contrast, unless otherwise stated in these provisions, transfers initiated via giropay are subject to the provisions on data protection and terms for online banking of the respective bank or savings bank (“Sparkasse”), which can be accessed at any time on their respective websites.

 

I. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national laws on data protection of the member states as well as other regulations on data protection is

giropay GmbH
An der Welle 4
60322 Frankfurt
Telephone: +49 721 47666 3544
Telefax: +49 721 47666 3534

If you have any questions or suggestions regarding data protection, you are welcome to contact us by email at customersupport(at)giropay.de.

II. General Information on Data Processing

1. Scope of Processing of Personal Data

As a matter of principle, we collect and use personal data from our users only to the extent necessary to provide a functional website as well as our contents and services that we offer on our website www.giropay.de. Collection and further processing of personal data from our users is regularly only carried out with the user’s prior consent. Processing without the user’s consent is only carried out in exceptional cases and where the processing of the data is permitted by legal provisions.

2. Data Erasure and Storage Duration

Personal data of data subjects will be erased or blocked as soon as the purpose of the storage no longer applies. Storage can take place for an extended period if this was provided for by the European or national legislator in EU regulations, laws or other provisions to which giropay GmbH is subject. Blocking or erasure of the data is also carried out when a retention period stipulated by the aforementioned provisions expires, unless there is a necessity for further storage of the data for the conclusion or fulfilment of a contract. Where different retention periods apply, we will inform the user about such deviating retention periods in this privacy policy separately.

 

III. Transaction Data

1. Transaction Data

In principle, giropay GmbH does not process any transaction data from users. Transaction data is data that is necessary to execute payments initiated by the user.

When users of the giropay services trigger a payment, we do not collect any transaction data in connection with this payment. In particular, we do not collect any information about whether the user has triggered a payment, nor the value or the reference of the payment. This information is generally only collected and further processed by the institution in charge of the user's bank account. The institution in charge of the user's bank account is controller of the data processing as defined by the GDPR in regards to the payment transaction.

Only in individual cases and only at the user's instigation do we collect transaction data to process enquiries regarding a payment made by the user (payment research) or a user enquiry on technical problems (see section III. 2).

2. Processing of Transaction Data for Payment Research and in the Case of User Enquiries on Technical Problems

If the user wishes to initiate a payment research in connection with a payment transaction made via a giropay service, or if he/she would like to send us an inquiry regarding technical problems, he/she has the possibility to contact us via the contact form provided on this website, by email, by telephone or by fax.

a) Description and scope of data processing

In order to process the user enquiry for payment research or for technical problems that the user has initiated via the contact form, email, telephone or fax, giropay GmbH collects the following personal data of the user:

- Gender
- First name
- Last name
- Email address
- Recipient/Online shop
- Date
- Value
- giropay transaction ID

At the time the message is sent, the following data is also stored:

- The user’s IP address
- Date and time of the request

Alternatively, it is possible to contact us via the provided email address. In this case, the user’s personal data transmitted with the email will be processed. This data includes in particular

- First name
- Last name
- Email address
- giropay transaction ID
- Information provided by the user on the matter

In the context of an enquiry for payment research or technical problems via our contact form, the user's consent to the processing of this data for these purposes is obtained as well as a confirmation that no personal data of third parties, e.g. as contact person, are entered in the input fields.


b) Legal Basis for Data Processing

The legal basis for the processing of data to process the user's request for payment research and for enquiries on technical problems that the user has initiated via the contact form, by email, telephone or fax is the user's consent, Art. 6 (1) lit. a GDPR.

The legal basis for the processing of data transmitted by sending an email in connection with the initiation of a payment research or for processing a user's enquiry on technical problems is Art. 6 (1) lit. f GDPR. We have a legitimate interest to process the enquiries of our users regarding a payment research or technical problems and subsequently to contact the user in relation to the enquiry.

c) Purpose of Data Processing

We process this data to process the user's request for a payment research and to solve technical problems.

d) Provision of the Data

The provision of personal data is not required by law or contract, nor is it necessary enter into a contract with us. Users are not obliged to provide us with this personal data. Without this data, however, we are not able to process the user’s enquiry for payment research or technical problems.

e) Retention Period

The data will be erased as soon as it is no longer necessary for the purpose it was collected for. For the personal data obtained through the input mask of the contact form and the data sent by email, this is the case when the respective conversation with the user ends. The conversation is deemed ended when it can be concluded from the circumstances that the matter in question has been finally clarified.
The personal data additionally collected during the sending process will be erased after a period of seven days at the latest.

f) Withdrawal of Consent

If the user has initiated the user inquiry for payment research and technical problems via the contact form, by email, telephone or fax, he/she has the right to withdraw his/her consent to the processing of his/her personal data at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn as follows: The user declares the withdrawal of his consent to the processing of his personal data via contact form, email, telephone or fax. In order to enable processing of the withdrawal, the user must identify himself in accordance with his original request.

g) Possibility to Object

If the user sends us a request for payment research or technical problems via contact form, email, telephone or fax, he/she has the right to object at any time, for reasons arising from his/her particular situation, to the processing of personal data concerning him/her in accordance with Art. 21 GDPR. We will stop processing the user's personal data unless we can prove compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The user can exercise his right of objection by declaring his objection to the processing of his personal data via contact form, email, telephone or fax. In order to enable the processing of the objection, the user must identify himself in accordance with his original request.

IV. Provision of the Website

1. Description and Scope of Data Processing

When our website is accessed, no personal data is automatically recorded or stored. In particular, no website tracking takes place in which, for example, IP addresses that could enable identification of a specific user are stored.

2. Web Storage

Web storage is a data storage in the user's browser. This storage makes it easier for the user to fill out the form when he/she accesses it again and improves the user-friendliness and service. The data stored in the web storage for this purpose is only accessible to the user (via his browser) and giropay. Third parties and other websites cannot access the data. giropay uses the possibility of data storage in the user's web storage only on his bank selection page (https://bankenauswahl.giropay.de) in the context of a giropay payment. During the regular use of our website, no data is stored in the web storage.
If users do not wish data to be stored in the web storage, they can either refuse to provide their consent or alternatively – subsequently – delete the data in their browser as described below.

Specifically, we use Web Storage in the following situations:
 

CategoryNameProviderFunctionality, purpose and scope of data processingRetentionType

Web Storage
Bank selection
Contracting banks

giropay

giropay.de

If the user selects a contracting bank, the BIC (Bank Identifier Code), bank code and name of the bank selected by the user on the giropay bank selection page are stored in the web storage in order to forward the user directly to his house bank for further giropay payments. No further data such as account number or login data is stored.

Until clearance of the browser cache by the user

HTTPS

Web Storage
Account Connection

giropay

giropay.de

If the user selects a non-contracting bank, the IBAN entered on the giropay bank selection page, the BIC (Bank Identifier Code), the bank code and the name of his bank are stored in the web storage in order to directly forward the user for further giropay payments. No further data, such as login data, is stored.

Until clearance of the browser cache by the user

HTTPS

giropay GmbH only stores the types of data described above in the web storage if the user provides his consent. This consent then constitutes the legal basis for the storage, Art. 6 (1) lit. a GDPR. As described in section X. 7. of this privacy policy, the user can withdraw his consent at any time with effect for the future. To do so, he/she can clear the cache of his browser (instructions on how to do this are provided here).

The data stored in the web storage will only be processed by us again when the bank selection page is accessed again. They are erased when the user clears the cache as described above.

The provision of the personal data stored in the web storage is not required by law or contract, nor is the provision in the web storage necessary to enter into a contract with us. Without a storage in the web storage, however, the data cannot be retrieved during the next access to the bank selection page. The user must therefore fill out the form anew each time.

V. Merchant Registration

1. Description and Scope of Data Processing

On our website, we offer users the opportunity to register for the integration of our payment and/or verification solutions in the online shop by entering personal data and thereby submit a contract offer to our sales partner GiroSolution, Meersburg. The following data is collected during the registration process:

- Name of the company
- Legal form of the company
- Address of the company
- Email address of the company
- VAT ID (optional)
- Name and gender of the contact person in the company
- Email address and, if applicable, telephone number of the contact person

At the time of registration, the following data is also stored:

- The IP address of the user
- date and time of registration

As part of the registration process, the user's consent to the processing of this data is obtained as well as a confirmation that no personal data of third parties, e.g. as contact person, is entered in the input fields.

2. Legal Basis for Data Processing

The legal basis for the processing of the data is the consent of the user, Art. 6 (1) lit. a GDPR. In addition, Art. 6 (1) lit. b GDPR is a legal basis, as registration is carried out at the user's request and with the aim of entering into a contract.

3. Purpose of Data Processing

A registration of the user is required for the performance of a contract with the user or in order to take steps prior to entering into a contract. The user registers in order to integrate the payment and/or verification solutions that he/she has chosen himself beforehand into his online shop and to be able to use them according to the provided conditions.

4. Retention Period

The personal data additionally collected during the sending process will be erased after a period of seven days at the latest.

5. Provision of the Data

The provision of this personal data is not required by law or contract, nor is it necessary for the performance of a contract with us. Users are not obliged to provide us with this personal data. Without this data, however, our sales partner GiroSolution is not able to process the user's contractual offer to use the payment and/or verification solutions that he/she has previously chosen.

6. Withdrawal of Consent

The user has the right to withdraw his consent to the processing of his personal data at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn as follows: The user declares the withdrawal of his consent to the processing of his personal data via contact form, email, telephone or fax. In order to enable processing of the withdrawal, the user must identify himself in accordance with his original request.

 

VI. Contact Form and Email Contact

1. User Enquiry in Connection with a Payment Research or Technical Problems

For information on data processing in the case of a user enquiry in connection with a payment research or technical problems, please refer to section III.2.

2. Description and Scope of Data Processing for Other User Enquiries

There is a contact form on our website which can be used to contact us by electronic means. If a user takes this opportunity, the data entered in the input mask will be transmitted to us and stored. These data are:

- Gender
- First name
- Last name
- Email address
- Phone number (only for merchant inquiries)

At the time the message is sent, the following data is also stored:

- The IP address of the user
- Date and time of the request

For the processing of the data, the user's consent is obtained during the sending of the contact form and reference is made to this data protection information.
Alternatively, it is possible to contact us via the provided email address. In this case the personal data of the user transmitted with the email will be processed. This data includes in particular

- First name
- Last name
- Email address
- Information provided by the user on the matter

The data will be used exclusively for the processing of the conversation.

3. Legal Basis for Data Processing

The legal basis for the processing of the data that the user sends to us using the contact form is the user's consent, Art. 6 (1) lit. a GDPR.
The legal basis for the processing of data transmitted by sending an email is Art. 6 (1) lit. f GDPR. We have a legitimate interest in processing the requests of our users and subsequently contacting the user in relation to the request.

If the email contact aims at entering into a contract, an additional legal basis for the processing is Art. 6 (1) lit. b GDPR.

4. Purpose of Data Processing

The processing of the personal data from the input mask is used solely to process the contact. In the case of contact by email, this also includes the necessary legitimate interest in the processing of the data.

5. Retention Period

The data will be erased as soon as it is no longer necessary for the purpose of it’s collection. For the personal data from the input mask of the contact form and data sent by email, this is the case when the respective conversation with the user ends. The conversation is deemed ended when it can be concluded from the circumstances that the matter in question has been finally clarified.
The personal data additionally collected during the sending process will be erased after a period of seven days at the latest.

6. Provision of the Data

The provision of personal data is not required by law or contract, nor is it necessary enter into a contract with us. Users are not obliged to provide us with this personal data. Without this data, however, we are not in a position to process the user enquiry.

7. Withdrawal of Consent

If the user contacts us via contact form, he/she has the right to withdraw his/her consent to the processing of his/her personal data at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn as follows: The user declares the withdrawal of his consent to the processing of his personal data via contact form, email, telephone or fax. In order to enable processing of the withdrawal, the user must identify himself in accordance with his original request.

8. Possibility to Object

If the user contacts us by email, he/she has the right to object at any time, for reasons arising from his/her particular situation, to the processing of personal data concerning him/her for the purposes of processing the contact request, in accordance with Art. 21 GDPR. We will stop processing the user's personal data unless we can prove compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The user can exercise his right of objection by declaring his objection to the processing of his personal data via contact form, email, telephone or fax. In order to enable the processing of the objection, the user must identify himself according to his original request.

 

 

VII. Transmission of Data

1. Transmission of Data without the User’s Consent

In principle, personal data of the user will only be transmitted without the user's express prior consent in the case mentioned below:

Service providers of the giropay GmbH

We are dependent on contractually affiliated third-party companies and external service providers ("processors") to provide our services. In such cases, personal data will be transmitted to these processors to enable them to process the data further. These processors are carefully selected and regularly audited by us to ensure that your privacy is protected. The processors may use the data exclusively for the purposes specified by us and are furthermore contractually obliged by us to process your data exclusively in accordance with this privacy policy and the European and German Data Protection regulations.

We use the following processors: SERVISCOPE AG, Karlsruhe (Germany)

The transfer of data to the processor is based on Art. 28 (1) GDPR, alternatively on our legitimate interest in the commercial and technical advantages associated with the use of specialised processors, and the fact that your rights and interests in the protection of your personal data do not override, Art. 6 (1) lit. f GDPR.

2. Transmission of Data with the User’s Consent

If the user has agreed to the storage of the respective bank or account information in the web storage (see section IV.3. of this privacy policy), we will automatically access this data from the web storage the next time the bank selection page is visited and automatically forward it. The recipients of this data are:

- either the credit institution to whose site the user is forwarded, or
- If the user uses the payment initiation service of Volksbank an der Ortenau eG, Volksbank in der Ortenau eG, Okenstraße 7, 77652 Offenburg.

VIII. Change of Purpose

Processing of users' personal data for purposes other than those described above will only be carried out where permitted by law or where users have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform users of these other purposes prior to further processing and provide them with any other relevant information.

 

IX. Automated Decision Making or Profiling Measures

We do not use automated processing to make decisions, including profiling.

 

X. Rights of the Data Subject

If the user's personal data is processed, the user is the data subject within the meaning of the GDPR and has the following rights in relation to the controller:

1. Right of Access

The user has the right to obtain from giropay GmbH confirmation as to whether or not personal data concerning him/her is processed by giropay GmbH.

In the event of such processing, the user may request information on the following:

a) the purposes for which the personal data is processed;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed
d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of a right to rectification or erasure of personal data concerning the user, a right to limit processing by giropay GmbH or a right to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data is not collected from the data subject, any available information as to it’s source;
h) the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition, the user has the right to receive a copy of the personal data that is subject to processing by giropay GmbH.

2. Right to Rectification

You have the right to request rectification and/or completion from giropay GmbH if the processed personal data concerning you is incorrect or incomplete. giropay GmbH must carry out the correction without undue delay.


3. Right to Restriction of Processing

Under the following conditions, the user may request the restriction of the processing of personal data concerning him:

a) if the user disputes the accuracy of the personal data concerning him/her for a period of time that enables the controller to verify the accuracy of the personal data;
b) if the processing is unlawful and the user opposes the erasure of the personal data and requests the restriction of their use instead;
c) if giropay GmbH no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
d) if the user has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the giropay GmbH or a third party override those of the user.

Where the processing of personal data relating to the user has been restricted, such data shall, with the exception of storage, only be processed with the user's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of the processing was restricted according to the above mentioned conditions, you will be informed by giropay GmbH before the restriction of processing is lifted.

4. Right to Erasure

a) Duty to Erase


The user can demand from giropay GmbH that the personal data concerning him/her be erased without undue delay, and giropay GmbH shall have the obligation to erase personal data without undue delay where one of the following reasons applies:

1. the personal data concerning the user is no longer necessary for the purposes for which it was collected or otherwise processed;
2. the user withdraws his consent on which the processing was based on according to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal basis for the processing;
3. the user objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Art. 21 (2) GDPR;
4. the personal data concerning the user has been processed unlawfully;
5. the personal data concerning the user have to be erased for compliance with a legal obligation in Union law or the law of the member states, to which giropay GmbH is subject.
6. the personal data concerning the user have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

b) Information to third parties

If giropay GmbH has made the personal data concerning the user public and is obligated to delete it according to Art. 17 (1) GDPR, giropay GmbH, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user as data subject has requested the erasure by giropay GmbH of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure does not exist insofar as the processing is necessary

1. to exercise the right to freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which giropay GmbH is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health pursuant to Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes according to Art. 89 (1) GDPR, in so far as the right mentioned in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
5. for the establishment, exercise or defence of legal claims.

5. Right to Data Portability

The user has the right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, the user has the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been where provided, where:

a) the processing is based on a consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR and
b) the processing is carried out by automated means.

In exercising this right, the user also has the right to obtain that the personal data concerning him/her be transmitted directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other persons shall not be affected by this.

The right to data portabilitydoes not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Right to Object

The user has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 (1) lit. e or f GDPR, including profiling based on these provisions.

giropay GmbH does no longer process the personal data concerning the user after an objection has been made, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment exercise or defence of legal claims.

Where personal data relating to the user are processed for the purpose of direct marketing, the user has the right to object at any time to the processing of personal data relating to him/her for the purpose of such marketing, including profiling, insofar as it is related to such direct marketing.

If the user objects to the processing for direct marketing purposes, the personal data concerning him/her will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, the user may exercise his/her right to object in the context of the use of Information society services by automated means using technical specifications.

The user can exercise his right of withdrawal as follows: The user declares the revocation of his consent to the processing of his personal data via contact form, email, telephone or fax. In order to enable the processing of the revocation, the user must identify himself according to his original request.

7. Right to withdraw consent under data protection law

The user has the right to withdraw his consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The user can withdraw his consent as follows: The user declares the withdrawal of his consent to the processing of his personal data via contact form, email, telephone or fax. In order to enable processing of the withdrawal, the user must identify himself in accordance with his original request.

8. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the user shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he/she is resident, in his/her place of work or in the place where the alleged infringement occurred, if he/she considers that the processing of personal data concerning him/her is in breach of the GDPR.

The supervisory authority to which the complaint was filed shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.