These data protection notes provide information regarding how we process your personal data and what data protection rights you have in this regard.
I. Controller of data processing
The controller is:
Großer Burstah 21
II. Data Protection Officer
Our Data Protection Officer can be contacted at
External data protection officer
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg
For all questions and concerns regarding your data, please contact firstname.lastname@example.org.
If you wish to communicate directly with our data protection officer (for example, because you have a particularly sensitive request), please contact him or her by post, as communication by e-mail can always have security gaps. Please state in your request that your concern relates to the company Nect GmbH.
III. Processed data and its origin
We primarily process personal data which we receive or gather from our users within the scope of operating the app. The personal data which we process in this context comprises
and other data which is comparable with the above-mentioned categories.
Prior to the beginning of identity establishment some users will be forwarded to our landing page. This landing page is used to transfer the user from a website to our app to establish their identity (“Nect App”). Once in the app the user can enter their mobile phone number to receive an SMS from us which contains a link to the relevant app store (where the Nect app is available to download) and / or to retrieve the app (“universal link”). If during the process of the identification procedure a usage contract is concluded between the user and us, then the stored mobile phone number will be used as a means of communication for the duration of the contract(in particular in the case of recognized attempted frauds using the user’s identity). Processing of the mobile phone number will take place on the basis of the consent provided in line with Art. 6 Para.1 (a) GDPR. It will be erased within 48 months of the contract ending.
IV. Processing purposes and legal basis
We will process personal data in accordance with the regulations of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the following legal basis:
1st To perform a contract (Article 6 Para. 1
Processing of personal data takes place to perform the app’s functions. The above-mentioned data categories are thus gathered and processed within the scope of performing the contact. Exception: Processing of the user’s biometric data (e.g. photograph) is, in contrast, based on Item 3 below (consent).
As far as we collect / verify health insurance card information / data, the use has to provide the health insurance card number (ICCSN) prior to performing the identification process. This information is collected by pre-contractual mean at the request of the user.
2nd Within the scope of weighing of interests (Article 6 Para.
Over and above actual performance of the contract with you, we may, in some circumstances, process your data insofar as this is required to safeguard our legitimate interests or the legitimate interests of third parties and insofar as your interests do not override this.
3rd On the basis of your consent (Article 6 Para. 1 lit. a
If you are over 16 years of age and have consented to specific processing of your personal data (e.g. gathering and processing of biometric data), legitimate processing of your personal data will take place on the basis of this consent. Without your biometric data, it is not possible to carry out the Robo-Ident procedure. You can withdraw any consent given at any time, effective for the future. This also applies to declarations of consent which you gave us before the GDPR came into force, i.e. before 25 May 2018. Since the withdrawal of consent is effective for the future, it will not affect the validity of processing up until the date of the withdrawal. Please note that, in accordance with Item 13 of our General Terms and Conditions of Business (GTCB), this will result in cancellation of the usage contract.
4th Statutory or legal stipulations (Article 6
Para. 1 (c)
GDPR) or in the public interest (Article 6 Para. 1 (e)
Over and above this, we, as a company, are subject to legal obligations in specific cases (e.g. money laundering laws, tax laws). These include, among others, verification of identity and age; prevention of fraud and money laundering; compliance with tax-law monitoring and reporting obligations and the assessment and steering of risks within the company.
V. Data recipients
The data gathered by the app will not be transmitted to third parties. An exception to this is if you were forwarded to our app via a partner – e.g. an insurance company or bank. In such cases, prior to carrying out the Robo-Ident procedure in the app we will ask you to provide us with explicit consent that we may forward the outcome of the personal identification electronically to the partner. The partner will, in each case, receive personal data solely to the minimum, legal or functional extent required.
In the case of age verification, for example, we generally forward only information regarding whether or not you have reached a certain age, such as:
It is, however, generally necessary to transmit the following data, for example if the identity verification is being used to avoid betrayal of secrets as per Sect. 203 German Tax Code (StGB):
Statutory requirements may make it necessary for us to forward additional data to the partner. Should, for example, the outcome of our identity verification service be required to comply with German money laundering or telecommunications legislation, then the following additional data will be transmitted:
In addition to this, for the purpose of operating our IT infrastructure we use service providers to ensure that smooth operation of the Robo-Ident procedure (e.g. hosting, managed services). These companies are, however, used solely as contract processors as defined by Art. 28 GDPR and subject to corresponding contractual obligations. No data processing takes place in third countries.
VI. Duration of storage of
We will only store or otherwise process your personal data for as long as required to achieve the relevant purpose.
When the processing purpose has ended, the corresponding personal data will be erased. Erasure may be delayed in the following cases:
Should, in exceptional cases, we or third parties process your data due to the above-mentioned weighing of interests, we will erase your personal data as soon as our legitimate interest no longer exists. The above-mentioned exceptions also apply in such cases.
In the case of consent, the data will be deleted as soon as the consent is revoked for the future unless there is one of the exceptions mentioned above.
During carrying out of the procedure your device will generate data which is stored locally on your device. Our service will also transmit data to your device, such as the outcome of verification after the procedure has been completed. This locally stored data is not generally subject to our control, whereby only you can erase this data (also from possible back-ups)
VII. Data subject rights
Under the terms of Article 15 GDPR all data subjects have a right to information. As per Article 16 GDPR data subjects may demand the rectification of inaccurate personal data. In accordance with Article 17 GDPR data subjects have a right to erasure respectively as per Article 18 a right to restriction of processing. Data subjects can, under the conditions of Article 21 GDPR also object to processing of personal data concerning them. Under Article 20 GDPR data subjects have a right to data portability. The rights to information and to erasure are also supplemented by Art. 34 and 35 German Federal Data Protection Act (BDSG Article 15 GDPR all data subjects have a right to information. To exercise your rights contact the following entity:
Großer Burstah 21
In addition, you have a right of appeal to the competent data protection supervisory authority in accordance with Article 77 DS-GVO in conjunction with Section 19 BDSG. You can contact the supervisory authority at our company headquarters for this purpose. You can find the address on the Internet under the following link. A given consent can be revoked at any time.
Any consent you have given to us can be withdrawn at any time.
VIII. Obligation to make personal data available You are not obliged to make your personal data available. Should you choose not to make your personal data available, we may, in certain circumstances, not be able to make the app features based on them available.
IIX. Automated decision-making
The Robo-Ident procedure compares recognition and identity data to verify your identity before informing you of the outcome of the verification. This outcome may, where applicable, lead to automated decision-making by the partner as defined by Section 2 (a) of our GTCB, namely in cases in which you, as a user of this partner’s web presence (e.g. an insurance company) were forwarded to our app for identification purposes. Following verification of identity, the partner will (in line with your consent) be informed of the outcome so that they can make an automated decision based on it – for example whether to conclude an insurance contract with you or to grant you access to the customer portal.
With regard to the above-mentioned automated decision-making and in accordance with Art. 22 Para. 3 GDPR you have the right to obtain human intervention on the part of the controller; to express your own point of view and to contest the decision. These rights must be asserted against the Partner.
Your data will not be automatically processed to evaluate specific personal aspects (profiling). Only a comparison of your recognition and identity data will take place.
XI. Information regarding your right to object as per Article 21 GDPR
1. Right to object in individual cases
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 Para. 1 (e) (data processing in the public interest) or Point (f) (data processing based on a weighing of interests); this also applies to profiling based on these provisions
Should you object, then we will no longer process your personal data. Exceptions only apply if we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
2. Recipient of an objection
The objection may be made without any formal requirements under the subject heading “Objection” and including your name, address and date of birth. It should be addressed to:
Großer Burstah 21
XII. Data security
In addition to this, we use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation; partial or full loss; destruction or the unauthorized access of third parties. Our security measures are continuously improved in line with technological developments.
These data protection notes are currently valid as of the date indicated below. Further development of our website and its offerings or amendments to statutory or official specifications may make it necessary to amend these data protection notes. The relevant current data protection declaration can be downloaded and printed by clicking the following link: http://www.nect.com.
Status: January 2021
By following the link below, you can assert your data subject rights according to DSG-VO Art. 15 (right to information), Art. 16 (right to correction), Art. 17 (right to deletion, right to be forgotten), Art. 20 (right to data portability) as well as Art. 21 (right to object).