With this data protection/ privacy notice, we inform you about how your personal data is processed by us and which rights data protection law grants you in this context. The Nect Wallet includes the Nect Ident and Nect Sign processes.
The controller is:
Nect GmbH
Großer Burstah 21
20457 Hamburg, Germany
privacy@nect.com
Dr. Volkan Güngör
Nect GmbH
Großer Burstah 21
20457 Hamburg, Germany
Any questions or issues relating to your data should be addressed to privacy@nect.com.
Should you wish to contact our data protection officer directly (for example, because you have a particularly sensitive issue), please send him a letter by post as we cannot guarantee that email communications will always be completely secure.
For the initial and secure establishment of identity, your personal data must first be collected. However, not all of the previously collected data will be transferred to our partner companies. For information on the individual types of data, please refer to section III. 1. and for information on the recipients of your personal data, please refer to section V.
For some users, a redirect to our landing page (under the URL jump.nect.com or jump.nect.app takes place prior to the start of the identity verification process. This landing page serves to transfer the user from a website to our app ("Nect Wallet"). There, the user can enter his mobile phone number and then receive an SMS from us with the link to the respective app store (where the app "Nect Wallet" is available for download) and / or call the app ("Universal Link"). The link can also be obtained directly by scanning the QR code on the landing page. Certain procedures (e.g. qualified electronic signature) also provide for processing of the user's e-mail address. If a usage contract is concluded between the user and us in the course of the identification procedure, the stored mobile phone number and/or e-mail address will be used as a means of communication for the duration of the contract (in particular in the case of detected fraud attempts using the identity of the user). The processing of the means of communication follows on the basis of the consent given according to Art. 6 para.1 lit. a) GDPR.
We process the personal data that we receive from our users in the course of operating the "Nect Wallet" app or performing the optical control of identification documents. For this purpose, the user records, among other things, a video of his identity document and his face. The personal data processed by us in this context consist of
as well as other data comparable to the aforementioned categories and serving to securely establish identity.
To fulfill the Know your Customer (KYC) principle, we collect KYC-relevant data (e.g., residential address and location) in the further course of personal identification by means of manual entry by the user. The processing of KYC-relevant data follows on the basis of the consent given in accordance with Art. 6 para. 1 lit. a) GDPR. Beyond the consent given, we process KYC-relevant data if it is necessary to protect our legitimate interests or the legitimate interests of third parties (e.g. insurance companies) in accordance with Art. 6 para. 1 (f) GDPR and if your interests are not overriding. Our legitimate interest in using KYC-relevant data is, for example, to be able to uncover criminal or fraudulent activities against you or third parties, e.g. in the area of money laundering. The data retrieval only covers limited and necessary information. Appropriate safeguards are in place to limit any disproportionate and inappropriate consequences for the data subjects.
In the event of an identity verification via the online ID function of the German identity card (eID), the same personal data listed under point III. 1. of our data protection notice - with the exception of the user's audio/video sequence ("selfie") but including your biometric image and video data of the ID document - are processed.
Personal data is processed by us in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the following legal basis:
If you are over 16 years of age and have consented to certain processing of your personal data (e.g., the collection and processing of biometric data), the lawful processing of your personal data is based on this consent.
Without your biometric data, the Nect Ident procedure cannot be carried out. You can withdraw a granted consent at any time without stating a reason with effect for the future. This also applies to declarations of consent that you gave us before the GDPR came into force, i.e. before May 25, 2018. Since the revocation of consent applies to the future, it does not affect the validity of the processing until the time of revocation. Please note that according to section 13 of our General Terms and Conditions of Business (GTCB), any withdrawal will result in the termination of the user contract.
Your consent for data processing by partner service providers used by us is required if they are not acting as processors within the meaning of Art. 28 GDPR.
Personal data will be processed to perform the app functions. The above-mentioned data categories will thus be collected and processed within the scope of performing the contract.
Exception: In contrast to this, processing of the user’s biometric data (e.g. photograph) will be based on Item 1 (consent).
Insofar as we carry out verifications of health insurance cards for health insurance companies, then the card number (ICCSN) must be entered before registration can begin. This data is collected within the scope of steps taken prior to a contract at the user’s request.
Over and above this, in individual cases we as company are subject to statutory obligations (e.g. money laundering, telecommunications or tax legislation). These include, among others, verification of identity and age; prevention of fraud and money laundering; compliance with tax-law monitoring and reporting obligations and the assessment and steering of risks within the company.
In addition to this, in order to affirm the identity of the person to be identified we, as identification service providers, are obliged by law to ask certain security questions on behalf of our partner companies (providers of trust services) such as age, identity document number or the contract ID number. The legal basis for this is Art. 24 Para. 1 Subpara. 2 (d) Sentence 1 Regulation (EU) No. 910/2014 (eIDAS regulation) in conjunction with Art. 11, 8 German Trust Services Act (VDG).
Beyond the actual fulfillment of the contract with you, we process your data if it is necessary to protect our legitimate interests or the legitimate interests of third parties and, if your interests do not prevail.
Our legitimate interest in using your personal data could, for example, be to combat corruption or economic crime as well as, in particular, to uncover criminal or fraudulent activities aimed at you or third parties, for example in the field of money laundering. Such processing is not least carried out because Recital 47 of the GDPR specifically recognises prevention of fraud as a legitimate interest which is particularly worthy of protection by stating that processing of personal data to the extent absolutely necessary to prevent fraud also represents a legitimate interest on the part of the relevant data controller. Since our partners (e.g. credit institutes) are obliged by law to set up corresponding security systems and we work for these partners, such prevention measures correspondingly apply to us.
Our interest in processing is legitimate because processing of the data only applies to restricted and necessary information. Appropriate protective measures have been implemented to restrict all disproportionate and improper consequences for data subjects.
Personal data collected for the purpose of safeguarding legitimate interests will be kept for as long as necessary to fulfill these purposes. More information about our legitimate interests can be obtained below under point VI. or by contacting us.
The data collected by the app will not be transmitted to third parties. An exception to this is if you were forwarded to our app via a partner – e.g. via insurance companies, telecommunications companies, banks or statutory health insurance companies. In such cases, we will ask you to give your explicit consent in the app that we may forward your data electronically to the partner. The partner receives personal data exclusively in each case only to the minimum extent legally or functionally required.
Thus, in the case of age verification, we regularly forward only the information whether you have reached a certain age limit, for example:
This ensures that, for example, your biometric video data or copies of the identification document are not transmitted to statutory health insurance companies.
Statutory requirements may make it necessary for us to transmit further data to the partner. For example, if the result of our identity verification service is needed to meet the requirements of the Money Laundering Act or the Telecommunications legislation, the following additional data will be transmitted:
The purpose of processing your personal data is to confirm your identity to our partner company, such as a health insurance company. The legal basis is their declaration of consent (Art. 9 para. 2 lit. a GDPR, Art. 6 para. 1 lit. a GDPR) and the user agreement (Art. 6 para. 1 lit. b GDPR).
For purpose fulfillment, especially the operation of our IT infrastructure, we also use service providers who ensure a smooth operation (e.g. hosting, managed services). However, these are used exclusively as processors in accordance with Art. 28 GDPR and are contractually obligated accordingly. There is no processing of personal data in third countries.
If we receive your data from your contractual partner for the purpose of order fulfillment within the scope of a digital signature (e.g. electronic signing of a contractual document in accordance with the eIDAS Regulation), we are exceptionally a processor in this respect within the meaning of Art. 28 GDPR. This means that we perform all data processing exclusively on behalf of and in accordance with the strict instructions of your responsible contractual partner. In this regard, we would like to refer you to clauses 5 and 6 of our GTCB (Nect Sign procedure).
In the event of a successful signature process, the document is stored in your Nect Wallet, with the consequence that your contractual partner (e.g., an insurance company) is no longer responsible for this data processing. Rather, in the course of the data storage in your Nect Wallet, we (again) become the responsible party pursuant to Art. 4 No. 7 GDPR, since you had confirmed your previous personal identification (Nect Ident) with your previously granted declaration of consent (see IV. 1 of this Privacy Notice) as well as consent to our GTCB (see section 3 of our GTCB). Nonetheless, the signed document is transmitted to all parties involved and remains the responsibility of the respective recipient there.
Nect is also obliged by or in order to comply with the German Trust Services Act (VDG) to transmit the data mentioned under point V. to the cooperating companies (trust service providers) known to the customer if the purpose of identification is a qualified electronic signature.
A further possible reason for forwarding the personal data stated in Item V. 1. above to third parties may, in exceptional cases, be forwarding of verification of your identity using an integration partner (e.g. a distributor) of ours or of the partner (e.g. the insurer) or of the partner’s customer (e.g. IT service provider). In such cases the integration partner will only be forwarded a report that verification was successful. The partner will process the forwarded data to comply with statutory and/or supervisory regulations which apply to them (e.g. money laundering legislation) and to comply with their rights and obligations arising from the contractual relationship between the partner and yourself.
In each case, processing of your personal data is carried out on the following legal basis:
We, as the company Nect, make use of contract processors for specific personal data-related processing flows. This includes, for example, using service providers to send out automated email messages within the scope of the Nect Sign procedure. In accordance with Art. 28 GDPR corresponding contract processing agreements are concluded with such service providers. These service providers thus only process personal data after receiving specific instructions and are contractually obliged to implement appropriate data protection-related technical and organisational measures.
We use links to share information (e.g. advertising) from your contractual partners and / or our partner companies (e.g. from an insurance company). For this purpose, no plug-ins are used or content from these partner companies is included. As long as you do not click on the link of the partner company to share content there, no data is sent to the respective partner companies. As soon as you click on a link, you will be directed to a website of the respective partner company.
In doing so, we only and exclusively process your IP address.
Further information and notes on data protection can be found in the respective data protection declarations of these partner companies.
You may exercise the following rights:
To exercise these rights contact the following entity:
Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany
https://nect.com/privacy-request
Over and above this, in accordance with Article 77 GDPR in conjunction with Art. 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. To do so, please contact the supervisory authority responsible for our domicile. The address can be found on the Internet under the following link:
Anschriften und Links - Anschriften und Links
You are not obliged to make your personal data available. Should you choose not to make your personal data available, we may, in certain circumstances, not be able to make the app features based on such data available.
The Nect Ident procedure compares recognition and identity data to verify your identity before informing you of the outcome of the verification. This outcome may, where applicable, lead to automated decision-making by the partner as defined by Section 2 (a) of our GTCB, namely in cases in which you, as a user of the partner’s web presence (e.g. an insurance or telecommunications company), were forwarded to our app for identification purposes. Following verification of identity, the partner will (as per your consent) be informed of the outcome so that they can make an automated decision based on the outcome – for example whether to conclude an insurance or pre-paid contract with you or to whether to grant you access to the customer portal. In individual cases human intervention in the identity verification process is envisaged.
With regard to the above-mentioned automated decision-making and in accordance with Art. 22 Para. 3 GDPR, you have the right to human intervention on the part of the controller; to express your point of view and to contest the decision. These rights must be asserted against the partner.
Your data will not be automatically processed to evaluate specific personal aspects (profiling). Only a comparison of your recognition and identity data will take place.
The Nect Wallet uses Google ML Kit (both Android and iOS). In this context, all data processing takes place on your device; no image, audio or video files are transmitted to Google. Only the following data is generated when using Google ML Kit:
This data is used for (configuration) diagnosis and use analysis.
The collection and forwarding of this data is based on your consent pursuant to Art. 6 (1) a) GDPR and on a weighing of interests pursuant to Art. 6 (1) f) GDPR.
We have also agreed to standard data protection clauses of the European Commission with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, please see Google's privacy policy:
Data Practices & Transparency - Google Safety Center
Rahmenbedingungen für Datenübermittlungen – Datenschutzerklärung & Nutzungsbedingungen – Google
You have the right to object to processing of your personal data which is carried out on the basis of Article 6 Para. 1 (e) (data processing in the public interest) or (f) (data processing on the basis of weighing up of interests) at any time on grounds relating to your personal situation; this also applies for profiling which is based on one of these provisions.
Should you object, then we will no longer process your personal data. Exceptions only apply if we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Objections may be made without any formal conditions being required and with the subject heading “Objection”, stating your name, address and date of birth and should be addressed to:
Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany
privacy@nect.com
In addition to this, we use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation; partial or full loss; destruction or the unauthorized access of third parties. Our security measures are continuously improved in line with technological developments.
These data protection/ privacy notes are currently valid. Further development of our app and its offerings or amendments to statutory or official specifications may make it necessary to amend these data protection/ privacy notes. To view or print off the relevant current data protection/ privacy declaration at any time, please go to our website Nect | Home .
Current as of: September 2023