These data protection/ privacy notes provide information regarding how we process your personal data and what data protection rights you have in this regard.
The controller is:
Grosser Burstah 21
20457 Hamburg, Germany
Our Data Protection Officer can be contacted at:
Dr. Volkan Güngör
Grosser Burstah 21, 20457 Hamburg, Germany
Any questions or issues relating to your data, should be addressed to firstname.lastname@example.org.
Should you wish to contact our data protection officer directly (for example, because you have a particularly sensitive issue), please send him a letter by post as we cannot guarantee that email communications will always be completely secure.
In particular we process personal data which we receive or collect from our users within the scope of operating the app.
The personal data which we process in this context comprises:
Surname and first name(s),
Date of birth,
Place of birth,
An image/ video copy of the German federal identity card or passport (front and reverse) with the information contained in the identity document,
An image/ video sequence of the user plus measurement data (biometric data),
An audio sequence of the user plus measurement data (biometric data),
The outcome of evaluation of the information,
An individual identification number assigned to the participant – identification number,
An individual identification number assigned to the transaction - transaction number (UUID),
Masked IP address,
Device identification and other device data of the mobile device,
In the case of transmission by partners: Origin of the transmission (e.g. URL of the web portal) and, where applicable, a return path destination (e.g. URL of the web portal),
In the case of verification of a health insurance card: An image/ video copy of the card (front and reverse) with the data included on the card plus generally the card identification number (ICCSN) before verification commences,
In the case of verification of a driver’s licence: An image/ video copy of driver’s licence (front and reverse) with the information contained on the driver’s licence,
In the case of an electronic signature: The document to be signed
and other data which is comparable with the above-mentioned categories.
Some users are redirected to our landing page before the identity verification procedure begins. This landing page is used to transfer the user from a website to our app to establish their identity (“Nect Wallet”). Once in the app the user can enter their mobile phone number to receive an SMS from us with a link to the relevant app store (where the Nect Wallet is available to download) and/or to retrieve the app (“universal link”). If a usage contract is concluded between the user and us within the scope of the identification procedure, then the stored mobile phone number and/or email address will be used as a means of communication for the duration of the contract (in particular in the case of recognized attempted frauds using the user’s identity). Processing of the means of communication will be based on provision of consent as per Art. 6 Para.1 (a) GDPR.
Personal data will be processed in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the following legal basis:
Based on your consent (Art. 6 Para. 1 lit. (a) GDPR)
Insofar as you are over 16 years of age and have consented to certain types of processing of your personal data (e.g. collecting and processing of biometric data), lawful processing of your personal data will be carried out on the basis of this consent.
The Nect Ident procedure cannot be carried out without your biometric data. You can withdraw any consent given at any time and without giving any reasons, effective for the future. This also applies to withdrawal of declarations provided to us prior to the coming into force of the GDPR, in other words before 25 May 2018. Since the withdrawal of consent is effective for the future, it will not affect the validity of processing up until the date of the withdrawal. Please note that, in accordance with Sect. 13 of our General Terms and Conditions of Business (GTCB), any withdrawal of consent will result in termination of the usage contract.
Your consent to data processing carried out by our service provider partners will be required if these companies are not active as contract processors as defined by Art. 28 GDPR.
To perform a contract (Art. 6 Para. 1 lit. (b) GDPR)
Personal data will be processed to perform the app functions. The above-mentioned data categories will thus be collected and processed within the scope of performing the contract.
Exception: In contrast to this, processing of the user’s biometric data (e.g. photograph) will be based on Item 1 (consent).
Insofar as we carry out verifications of health insurance cards for health insurance companies, then the card number (ICCSN) must be entered before registration can begin. This data is collected within the scope of steps taken prior to a contract at the user’s request.
Statutory or legal obligations (Art. 6 Para. 1 (c) GDPR) or for reasons of public interest (Art. 6 Para. 1 (e) GDPR)
Over and above this, in individual cases we as company are subject to statutory obligations (e.g. money laundering, telecommunications or tax legislation). These include, among others, verification of identity and age; prevention of fraud and money laundering; compliance with tax-law monitoring and reporting obligations and the assessment and steering of risks within the company.
In addition to this, in order to affirm the identity of the person to be identified we, as identification service providers, are obliged by law to ask certain security questions on behalf of our partner companies (providers of trust services) such as age, identity document number or the contract ID number. The legal basis for this is Art. 24 Para. 1 Subpara. 2 (d) Sentence 1 Regulation (EU) No. 910/2014 (eIDAS regulation) in conjunction with Art. 11, 8 German Trust Services Act (VDG).
Within the scope of weighing up of interests (Art. 6 Para. 1 (f) GDPR)
Under certain circumstances we will process your data beyond the extent required to perform the contract with you insofar as this is required to protect our legitimate interests or legitimate third-party interests and these interests are not overridden by your interests.
Our legitimate interest in using your personal data could, for example, be to combat corruption or economic crime as well as, in particular, to uncover criminal or fraudulent activities aimed at you or third parties, for example in the field of money laundering. Such processing is not least carried out because Recital 47 of the GDPR specifically recognises prevention of fraud as a legitimate interest which is particularly worthy of protection by stating that processing of personal data to the extent absolutely necessary to prevent fraud also represents a legitimate interest on the part of the relevant data controller. Since our partners (e.g. credit institutes) are obliged by law to set up corresponding security systems and we work for these partners, such prevention measures correspondingly apply to us.
Our interest in processing is legitimate because processing of the data only applies to restricted and necessary information. Appropriate protective measures have been implemented to restrict all disproportionate and improper consequences for data subjects.
Personal data which is collected to safeguard legitimate interests will be stored for as long as required to meet these purposes. For more information on our legitimate interests, please see Item VI. below or contact us.
The data collected by the app will not be transmitted to third parties. An exception to this is if you were forwarded to our app via a partner – e.g. an insurance or telecommunications company or a bank. In such cases, the app will ask you to provide explicit consent that we may forward your data electronically to the partner. The partner will receive personal data solely to the minimum, legal or functional extent required.
In the case of age verification, for example, we generally forward only information regarding whether or not you have reached a certain age, such as:
It is, however, not generally necessary to forward the following data, for example if verification of identity is being used to prevent a disclosure of secrets as defined by Art. 203 German Criminal Code (StGB):
Statutory requirements may make it necessary for us to forward additional data to the partner. Should, for example, the outcome of our identity verification service be required to comply with German money laundering or telecommunications legislation, then the following additional data will be transmitted:
In addition to this, first and foremost for the purpose of operating our IT infrastructure, we use service providers to ensure smooth operations (e.g. hosting, managed services). These companies are, however, used solely as contract processors as defined by Art. 28 GDPR and subject to corresponding contractual obligations. No data processing takes place in third countries.
Furthermore, in order to comply with the German Trust Services Act (VDG) Nect is obliged to forward the data stated in Item V. above to the cooperating companies which are known to the customer (providers of trust services) if identity is being verified for the purpose of a qualified electronic signature.
A further possible reason for forwarding the personal data stated in Item V. 1. above to third parties may, in exceptional cases, be forwarding of verification of your identity using an integration partner (e.g. a distributor) of ours or of the partner (e.g. the insurer) or of the partner’s customer (e.g. IT service provider). In such cases the integration partner will only be forwarded a report that verification was successful. The partner will process the forwarded data to comply with statutory and/or supervisory regulations which apply to them (e.g. money laundering legislation) and to comply with their rights and obligations arising from the contractual relationship between the partner and yourself.
In each case, processing of your personal data is carried out on the following legal basis:
We, as the company Nect, make use of contract processors for specific personal data-related processing flows. This includes, for example, using service providers to send out automated email messages within the scope of the Nect Sign procedure. In accordance with Art. 28 GDPR corresponding contract processing agreements are concluded with such service providers. These service providers thus only process personal data after receiving specific instructions and are contractually obliged to implement appropriate data protection-related technical and organisational measures.
We will only archive or otherwise process your personal data for as long as required to achieve the relevant purpose.
When the processing purpose has ended, the corresponding personal data will be erased. Erasure may be delayed in the following cases:
Compliance with archiving periods specified by law (e.g. German Social Insurance Code (SGB IV), German Commercial Code (HGB), German Tax Code (AO), German Banking Act (KWG), German Money Laundering Act (GwG). The archiving periods stipulated by such legislation are generally between 6 and 10 years.
Securing of evidence within the scope of the statute of limitations. In accordance with Art. 195 ff. of the German Civil Code (BGB) these statutes may be up to 30 years. The general statute of limitations is 3 years.
With regard to identification within the scope of a qualified electronic signature, the archiving period specified by law as per Art. 24 Para. 2 (h) eIDAS Regulation in conjunction with Art. 16 Para. 4 (2), 15 VDG.
Where processing of your data is based on weighing up of interests, such as securing of evidence, quality assurance, compliance audits or prevention of fraud, we will erase your personal data as soon as our legitimate interest no longer exists. The above-mentioned exceptions also apply in such cases.
Where consent has been given, data will be erased as soon as this consent is withdrawn, effective for the future, unless one of the above-mentioned exceptions applies.
During the procedure your device will generate data which is stored locally on your device. Our service will also transmit data to your device, such as the outcome of verification after the procedure has been completed. This locally stored data is not generally subject to our control; only you can erase this data (also from possible back-ups).
You may exercise the following rights:
Under the terms of Article 7 GDPR consent which has been given may be withdrawn at any time and without giving reasons. Withdrawal of consent will be effective for the future, whereby the lawfulness of data processing which has been carried out prior to withdrawal of consent will remain unaffected by the withdrawal.
Under the terms of Article 15 GDPR all data subjects have a right to information. You can, in particular, demand information about the purposes of processing.
In accordance with Article 16 GDPR data subjects may demand the rectification of inaccurate personal data.
In accordance with Art. 17 GDPR data subjects have a right to erasure, insofar as processing of the data is not necessary to exercise the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; or for the establishment, exercise or defence of legal claims, respectively
In accordance with Article 18 a right to restriction of processing insofar as, for example, you contest the accuracy of the data or processing is unlawful.
In accordance with Article 20 GDPR all data subjects have a right to data portability.
Insofar as personal data was, for example, processed on the basis of legitimate interests as per Article 6 Para. 1 (f) GDPR, data subjects can also object to processing of their personal data under the conditions of Article 21 GDPR.
In the case of the right to information (Article 15 GDPR) and the right to erasure (Article 17 GDPR), Sect. 34 and 35 German Federal Data Protection Act (BDSG) will also apply.
To exercise these rights contact the following entity:
Grosser Burstah 21
20457 Hamburg, Germany
Over and above this, in accordance with Article 77 GDPR in conjunction with Art. 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. To do so, please contact the supervisory authority responsible for our domicile. The address can be found on the Internet under the following link:
You are not obliged to make your personal data available. Should you choose not to make your personal data available, we may, in certain circumstances, not be able to make the app features based on such data available.
The Nect Ident procedure compares recognition and identity data to verify your identity before informing you of the outcome of the verification. This outcome may, where applicable, lead to automated decision-making by the partner as defined by Section 2 (a) of our GTCB, namely in cases in which you, as a user of the partner’s web presence (e.g. an insurance or telecommunications company), were forwarded to our app for identification purposes. Following verification of identity, the partner will (as per your consent) be informed of the outcome so that they can make an automated decision based on the outcome – for example whether to conclude an insurance or pre-paid contract with you or to whether to grant you access to the customer portal. In individual cases human intervention in the identity verification process is envisaged.
With regard to the above-mentioned automated decision-making and in accordance with Art. 22 Para. 3 GDPR, you have the right to human intervention on the part of the controller; to express your point of view and to contest the decision. These rights must be asserted against the partner.
Your data will not be automatically processed to evaluate specific personal aspects (profiling). Only a comparison of your recognition and identity data will take place.
The Nect Wallet uses Google ML Kit (both Android and iOS). In this context, all data processing takes place on your device; no image, audio or video files are transmitted to Google. Only the following data is generated when using Google ML Kit:
Device information (such as manufacturer, model, operating system version) and accessible hardware accelerators for ML (GPU and DSP).
App information (package name / bundle ID, app version)
ML Kit configuration information (such as the image resolution and format used).
Event types (such as “initialised”, “update”, “execution”).
Anonymous, installation-specific IDs which cannot be assigned to a person or device.
The address of the network request sender. The IP address will be temporarily stored.
This data is used for (configuration) diagnosis and use analysis.
The collection and forwarding of this data will be based on your consent as per Art. 6 Para. 1 (a) GDPR and weighing up of interests as per Art. 6 Para. 1 (f) GDPR.
Individual case-related right to object You have the right to object to processing of your personal data which is carried out on the basis of Article 6 Para. 1 (e) (data processing in the public interest) or (f) (data processing on the basis of weighing up of interests) at any time on grounds relating to your personal situation; this also applies for profiling which is based on one of these provisions.
Should you object, then we will no longer process your personal data. Exceptions only apply if we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Recipient of an objection
Objections may be made without any formal conditions being required and with the subject heading “Objection”, stating your name, address and date of birth and should be addressed to:
Grosser Burstah 21
20457 Hamburg, Germany
In addition to this, we use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation; partial or full loss; destruction or the unauthorized access of third parties. Our security measures are continuously improved in line with technological developments.
These data protection/ privacy notes are currently valid. Further development of our app and its offerings or amendments to statutory or official specifications may make it necessary to amend these data protection/ privacy notes. To view or print off the relevant current data protection/ privacy declaration at any time, please go to our website http://www.nect.com.
Status: June 2022
By following the link below, you can assert your data subject rights according to DSG-VO Art. 15 (right to information), Art. 16 (right to correction), Art. 17 (right to deletion, right to be forgotten), Art. 20 (right to data portability) as well as Art. 21 (right to object).