Data protection / privacy notes for users of the Nect Wallet / the Nect Ident process

With this data protection/ privacy notice, we inform you about how your personal data is processed by us and which rights data protection law grants you in this context. The Nect Wallet includes the Nect Ident and Nect Sign processes.

(I) Controller of data processing

The controller is:

Nect GmbH
Großer Burstah 21
20457 Hamburg, Germany

(II) Our Data Protection Officer can be contacted at:

Dr. Volkan Güngör

Nect GmbH
Großer Burstah 21
20457 Hamburg, Germany

Any questions or issues relating to your data should be addressed to

Should you wish to contact our data protection officer directly (for example, because you have a particularly sensitive issue), please send him a letter by post as we cannot guarantee that email communications will always be completely secure.

(III) Data processing and origin

For the initial and secure establishment of identity, your personal data must first be collected. However, not all of the previously collected data will be transferred to our partner companies. For information on the individual types of data, please refer to section III. 1. and for information on the recipients of your personal data, please refer to section V.

For some users, a redirect to our landing page (under the URL or takes place prior to the start of the identity verification process. This landing page serves to transfer the user from a website to our app ("Nect Wallet"). There, the user can enter his mobile phone number and then receive an SMS from us with the link to the respective app store (where the app "Nect Wallet" is available for download) and / or call the app ("Universal Link"). The link can also be obtained directly by scanning the QR code on the landing page. Certain procedures (e.g. qualified electronic signature) also provide for processing of the user's e-mail address. If a usage contract is concluded between the user and us in the course of the identification procedure, the stored mobile phone number and/or e-mail address will be used as a means of communication for the duration of the contract (in particular in the case of detected fraud attempts using the identity of the user). The processing of the means of communication follows on the basis of the consent given according to Art. 6 para.1 lit. a) GDPR.

1. Use of the digital optical control of the identity document

We process the personal data that we receive from our users in the course of operating the "Nect Wallet" app or performing the optical control of identification documents. For this purpose, the user records, among other things, a video of his identity document and his face. The personal data processed by us in this context consist of

  • Surname and first name(s),
  • date of birth,
  • place of birth,
  • residential address,
  • a picture/video copy of the federal identity card or passport (front and back) with the information contained on the identity document,
  • a picture/video sequence of the user together with a measurement file (biometric data)
  • an audio sequence of the user together with the measurement file (biometric data)
  • Result of the evaluation of the data
  • an individual identification number assigned to the participant - identification number
  • an individual identification number assigned to the transaction - transaction number (UUID)
  • masked IP address
  • device identifier and other device data of the mobile device
  • in case of forwarding by partner: source of forwarding (e.g. URL of the web portal) and, if applicable, a return destination (e.g. URL of the web portal)
  • in the case of verification of the health insurance card (e.g. electronic health card / eGK): an image/video copy of the card (front and back) with the data contained on the card, and regularly the card's identification number (ICCSN) before the start of verification,
  • in case of driver's license verification: a picture/video copy of the driver's license (front and back) with the data contained on the driver's license
  • in case of electronic signature: the document to be signed

as well as other data comparable to the aforementioned categories and serving to securely establish identity.

To fulfill the Know your Customer (KYC) principle, we collect KYC-relevant data (e.g., residential address and location) in the further course of personal identification by means of manual entry by the user. The processing of KYC-relevant data follows on the basis of the consent given in accordance with Art. 6 para. 1 lit. a) GDPR. Beyond the consent given, we process KYC-relevant data if it is necessary to protect our legitimate interests or the legitimate interests of third parties (e.g. insurance companies) in accordance with Art. 6 para. 1 (f) GDPR and if your interests are not overriding. Our legitimate interest in using KYC-relevant data is, for example, to be able to uncover criminal or fraudulent activities against you or third parties, e.g. in the area of money laundering. The data retrieval only covers limited and necessary information. Appropriate safeguards are in place to limit any disproportionate and inappropriate consequences for the data subjects.

2. Use of the online ID function of the German ID card

In the event of an identity verification via the online ID function of the German identity card (eID), the same personal data listed under point III. 1. of our data protection notice - with the exception of the user's audio/video sequence ("selfie") but including your biometric image and video data of the ID document - are processed.

(IV) Processing purposes and legal basis

Personal data is processed by us in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the following legal basis:

1. Based on your consent (Art. 6 Para. 1 lit. (a), 9 para. 2 lit. a) GDPR)

If you are over 16 years of age and have consented to certain processing of your personal data (e.g., the collection and processing of biometric data), the lawful processing of your personal data is based on this consent.

Without your biometric data, the Nect Ident procedure cannot be carried out. You can withdraw a granted consent at any time without stating a reason with effect for the future. This also applies to declarations of consent that you gave us before the GDPR came into force, i.e. before May 25, 2018. Since the revocation of consent applies to the future, it does not affect the validity of the processing until the time of revocation. Please note that according to section 13 of our General Terms and Conditions of Business (GTCB), any withdrawal will result in the termination of the user contract.

Your consent for data processing by partner service providers used by us is required if they are not acting as processors within the meaning of Art. 28 GDPR.

2. For the fulfillment of a contract (Article 6 para. 1 lit. b) GDPR)

Personal data will be processed to perform the app functions. The above-mentioned data categories will thus be collected and processed within the scope of performing the contract.

Exception: In contrast to this, processing of the user’s biometric data (e.g. photograph) will be based on Item 1 (consent).

Insofar as we carry out verifications of health insurance cards for health insurance companies, then the card number (ICCSN) must be entered before registration can begin. This data is collected within the scope of steps taken prior to a contract at the user’s request.

3. Statutory or legal requirements (Article 6 (1) (c) GDPR) or for reasons of public interest (Article 6 (1) (e) GDPR).

Over and above this, in individual cases we as company are subject to statutory obligations (e.g. money laundering, telecommunications or tax legislation). These include, among others, verification of identity and age; prevention of fraud and money laundering; compliance with tax-law monitoring and reporting obligations and the assessment and steering of risks within the company.

In addition to this, in order to affirm the identity of the person to be identified we, as identification service providers, are obliged by law to ask certain security questions on behalf of our partner companies (providers of trust services) such as age, identity document number or the contract ID number. The legal basis for this is Art. 24 Para. 1 Subpara. 2 (d) Sentence 1 Regulation (EU) No. 910/2014 (eIDAS regulation) in conjunction with Art. 11, 8 German Trust Services Act (VDG).

4. Within the scope of the weighing of interests (Art. 6 Para. 1 (f) GDPR)

Beyond the actual fulfillment of the contract with you, we process your data if it is necessary to protect our legitimate interests or the legitimate interests of third parties and, if your interests do not prevail.

Our legitimate interest in using your personal data could, for example, be to combat corruption or economic crime as well as, in particular, to uncover criminal or fraudulent activities aimed at you or third parties, for example in the field of money laundering. Such processing is not least carried out because Recital 47 of the GDPR specifically recognises prevention of fraud as a legitimate interest which is particularly worthy of protection by stating that processing of personal data to the extent absolutely necessary to prevent fraud also represents a legitimate interest on the part of the relevant data controller. Since our partners (e.g. credit institutes) are obliged by law to set up corresponding security systems and we work for these partners, such prevention measures correspondingly apply to us.

Our interest in processing is legitimate because processing of the data only applies to restricted and necessary information. Appropriate protective measures have been implemented to restrict all disproportionate and improper consequences for data subjects.

Personal data collected for the purpose of safeguarding legitimate interests will be kept for as long as necessary to fulfill these purposes. More information about our legitimate interests can be obtained below under point VI. or by contacting us.

(V) Data recipients

1. Partner companies

The data collected by the app will not be transmitted to third parties. An exception to this is if you were forwarded to our app via a partner – e.g. via insurance companies, telecommunications companies, banks or statutory health insurance companies. In such cases, we will ask you to give your explicit consent in the app that we may forward your data electronically to the partner. The partner receives personal data exclusively in each case only to the minimum extent legally or functionally required.

Thus, in the case of age verification, we regularly forward only the information whether you have reached a certain age limit, for example:

  • The person is over 18 years of age.  It is, however, not generally necessary to forward the following data, for example if verification of identity is being used to prevent a disclosure of secrets as defined by Art. 203 German Criminal Code (StGB):
  • Surname,
  • First name,
  • Address,
  • Information whether or not there is an address sticker,
  • Date and place of birth
  • (Partial) outcome of verification

This ensures that, for example, your biometric video data or copies of the identification document are not transmitted to statutory health insurance companies.

Statutory requirements may make it necessary for us to transmit further data to the partner. For example, if the result of our identity verification service is needed to meet the requirements of the Money Laundering Act or the Telecommunications legislation, the following additional data will be transmitted:

  • Photocopy of the identity document in compliance with data protection and identity card law requirements
  • Copy of the selfie recording

The purpose of processing your personal data is to confirm your identity to our partner company, such as a health insurance company. The legal basis is their declaration of consent (Art. 9 para. 2 lit. a GDPR, Art. 6 para. 1 lit. a GDPR) and the user agreement (Art. 6 para. 1 lit. b GDPR).

For purpose fulfillment, especially the operation of our IT infrastructure, we also use service providers who ensure a smooth operation (e.g. hosting, managed services). However, these are used exclusively as processors in accordance with Art. 28 GDPR and are contractually obligated accordingly. There is no processing of personal data in third countries.

If we receive your data from your contractual partner for the purpose of order fulfillment within the scope of a digital signature (e.g. electronic signing of a contractual document in accordance with the eIDAS Regulation), we are exceptionally a processor in this respect within the meaning of Art. 28 GDPR. This means that we perform all data processing exclusively on behalf of and in accordance with the strict instructions of your responsible contractual partner. In this regard, we would like to refer you to clauses 5 and 6 of our GTCB (Nect Sign procedure).

In the event of a successful signature process, the document is stored in your Nect Wallet, with the consequence that your contractual partner (e.g., an insurance company) is no longer responsible for this data processing. Rather, in the course of the data storage in your Nect Wallet, we (again) become the responsible party pursuant to Art. 4 No. 7 GDPR, since you had confirmed your previous personal identification (Nect Ident) with your previously granted declaration of consent (see IV. 1 of this Privacy Notice) as well as consent to our GTCB (see section 3 of our GTCB). Nonetheless, the signed document is transmitted to all parties involved and remains the responsibility of the respective recipient there.

Nect is also obliged by or in order to comply with the German Trust Services Act (VDG) to transmit the data mentioned under point V. to the cooperating companies (trust service providers) known to the customer if the purpose of identification is a qualified electronic signature.

2. Integration partners

A further possible reason for forwarding the personal data stated in Item V. 1. above to third parties may, in exceptional cases, be forwarding of verification of your identity using an integration partner (e.g. a distributor) of ours or of the partner (e.g. the insurer) or of the partner’s customer (e.g. IT service provider). In such cases the integration partner will only be forwarded a report that verification was successful. The partner will process the forwarded data to comply with statutory and/or supervisory regulations which apply to them (e.g. money laundering legislation) and to comply with their rights and obligations arising from the contractual relationship between the partner and yourself.

In each case, processing of your personal data is carried out on the following legal basis:

  • Based on your consent to data processing as per Art. 6 Para. 1 lit. (a) GDPR
  • To perform a contract as per Art. 6 Para. 1 lit. (b) GDPR
  • To comply with a legal obligation to which the partner is subject as per Art. 6 Para. 1 (c) GDPR
  • Within the scope of the relevant contractual relationship with our corresponding service provider
  • partner as per Art. 28 GDPR.

3. Contract processors

We, as the company Nect, make use of contract processors for specific personal data-related processing flows. This includes, for example, using service providers to send out automated email messages within the scope of the Nect Sign procedure. In accordance with Art. 28 GDPR corresponding contract processing agreements are concluded with such service providers. These service providers thus only process personal data after receiving specific instructions and are contractually obliged to implement appropriate data protection-related technical and organisational measures.

VI. Duration of archiving of personal data

We use links to share information (e.g. advertising) from your contractual partners and / or our partner companies (e.g. from an insurance company). For this purpose, no plug-ins are used or content from these partner companies is included. As long as you do not click on the link of the partner company to share content there, no data is sent to the respective partner companies. As soon as you click on a link, you will be directed to a website of the respective partner company.

In doing so, we only and exclusively process your IP address.

  • If you have given us your consent, the legal basis is Art. 6 para. 1 lit. a GDPR.
  • Furthermore, the data processing is carried out to protect our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. The legitimate interest of both us and our partner companies is the economic interest and thus the freedom of action as well as trade in the preparation, optimization and / or implementation of promotional measures and / or target group-oriented advertising in order to continuously improve the quality of products and / or services.

Further information and notes on data protection can be found in the respective data protection declarations of these partner companies.

VII. Data subject rights

You may exercise the following rights:

  • Under the terms of Article 7 GDPR consent which has been given may be withdrawn at any time and without giving reasons. Withdrawal of consent will be effective for the future, whereby the lawfulness of data processing which has been carried out prior to withdrawal of consent will remain unaffected by the withdrawal.
  • Under the terms of Article 15 GDPR all data subjects have a right to information. You can, in particular, demand information about the purposes of processing.In accordance with Article 16 GDPR data subjects may demand the rectification of inaccurate personal data.
  • In accordance with Art. 17 GDPR data subjects have a right to erasure, insofar as processing of the data is not necessary to exercise the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; or for the establishment, exercise or defence of legal claims, respectively
  • In accordance with Article 18 a right to restriction of processing insofar as, for example, you contest the accuracy of the data or processing is unlawful.
  • In accordance with Article 20 GDPR all data subjects have a right to data portability.
  • Insofar as personal data was, for example, processed on the basis of legitimate interests as per Article 6 Para. 1 (f) GDPR, data subjects can also object to processing of their personal data under the conditions of Article 21 GDPR.
  • In the case of the right to information (Article 15 GDPR) and the right to erasure (Article 17 GDPR), Sect. 34 and 35 German Federal Data Protection Act (BDSG) will also apply.

To exercise these rights contact the following entity:

Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany

Over and above this, in accordance with Article 77 GDPR in conjunction with Art. 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. To do so, please contact the supervisory authority responsible for our domicile. The address can be found on the Internet under the following link:

Anschriften und Links - Anschriften und Links

VIII. Obligation to make personal data available

You are not obliged to make your personal data available. Should you choose not to make your personal data available, we may, in certain circumstances, not be able to make the app features based on such data available.

IX. Automated decision-making

The Nect Ident procedure compares recognition and identity data to verify your identity before informing you of the outcome of the verification. This outcome may, where applicable, lead to automated decision-making by the partner as defined by Section 2 (a) of our GTCB, namely in cases in which you, as a user of the partner’s web presence (e.g. an insurance or telecommunications company), were forwarded to our app for identification purposes. Following verification of identity, the partner will (as per your consent) be informed of the outcome so that they can make an automated decision based on the outcome – for example whether to conclude an insurance or pre-paid contract with you or to whether to grant you access to the customer portal. In individual cases human intervention in the identity verification process is envisaged.

With regard to the above-mentioned automated decision-making and in accordance with Art. 22 Para. 3 GDPR, you have the right to human intervention on the part of the controller; to express your point of view and to contest the decision. These rights must be asserted against the partner.

X. Profiling

Your data will not be automatically processed to evaluate specific personal aspects (profiling). Only a comparison of your recognition and identity data will take place.

XI. Use of Google ML Kit

The Nect Wallet uses Google ML Kit (both Android and iOS). In this context, all data processing takes place on your device; no image, audio or video files are transmitted to Google. Only the following data is generated when using Google ML Kit:

  • Device information (such as manufacturer, model, operating system version) and accessible hardware accelerators for ML (GPU and DSP).
  • App information (package name / bundle ID, app version)
  • ML Kit configuration information (such as the image resolution and format used).
  • Event types (such as “initialised”, “update”, “execution”).
  • Error codes
  • Performance information
  • Anonymous, installation-specific IDs which cannot be assigned to a person or device.
  • The address of the network request sender. The IP address will be temporarily stored.

This data is used for (configuration) diagnosis and use analysis.

The collection and forwarding of this data is based on your consent pursuant to Art. 6 (1) a) GDPR and on a weighing of interests pursuant to Art. 6 (1) f) GDPR.

We have also agreed to standard data protection clauses of the European Commission with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, please see Google's privacy policy:

Data Practices & Transparency - Google Safety Center

Rahmenbedingungen für Datenübermittlungen – Datenschutzerklärung & Nutzungsbedingungen – Google

XII. Information regarding your right to object as per Article 21 GDPR

1. Individual case-related right to object

You have the right to object to processing of your personal data which is carried out on the basis of Article 6 Para. 1 (e) (data processing in the public interest) or (f) (data processing on the basis of weighing up of interests) at any time on grounds relating to your personal situation; this also applies for profiling which is based on one of these provisions.

Should you object, then we will no longer process your personal data. Exceptions only apply if we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

2. Recipient of an objection

Objections may be made without any formal conditions being required and with the subject heading “Objection”, stating your name, address and date of birth and should be addressed to:

Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany

XIII. Data security

In addition to this, we use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation; partial or full loss; destruction or the unauthorized access of third parties. Our security measures are continuously improved in line with technological developments.

XIII. Currentness

These data protection/ privacy notes are currently valid. Further development of our app and its offerings or amendments to statutory or official specifications may make it necessary to amend these data protection/ privacy notes. To view or print off the relevant current data protection/ privacy declaration at any time, please go to our website Nect | Home .

Current as of: September 2023