Skip to main content
WebID
DeutschEnglishEspañol

Data protection information WebID

(App and own landing page)

  1. Scope and definitions

This data protection information applies to the use of the WebID Wallet (hereinafter “Wallet”) and the services and offers contained therein.

In addition to this data protection information, the “WebID Privacy Policy” applies to our other services and performances.

  1. Name and address of the person responsible

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is WebID Solutions GmbH.

WebID Solutions GmbH
Unter den Linden 10
10117 Berlin

If you would like to contact us, you can also use the following options in addition to the information in the legal notice:

Tel.: 030 55574760

e-mail: info@webid-solutions.de

Imprint

  1. Name and address of data protection officer

You can contact our external data protection officer as follows:

Silvia C. Bauer

WebID Solutions GmbH, Data Protection Officer

Unter den Linden 10, 10117 Berlin

e-mail: datenschutz@webid-solutions.de

  1. Provision and use of the Wallet app

To use our Wallet, you must save our Wallet app on your mobile phone and register. You can store your ID card or other documents in the Wallet app and use them as you wish, e.g. to confirm your identity or redeem vouchers.

  • Technical provision of the wallet

We process your data for the technical provision of the Wallet app. This includes IP address, information about the end device (including device/device type, operating system, Wallet app version) so that the Wallet app can be provided and operated. We also store corresponding log files.

  • Registration process

Registration is possible in various ways, depending on whether you have already come into contact with the WebID services as part of online identification and have already created a user profile with WebID, or whether you are registering for the first time via the Wallet app. In any case, your identification or the creation of a user profile with WebID is required. Further information on the handling of your data by WebID during identification or the separate creation of the user profile can be found in our general privacy policy, which is available at https://webid-solutions.de/datenschutzbestimmungen/.

Description of the process for an existing user profile

If you have already successfully completed a separate process at WebID to confirm your identity and have received a transaction number from WebID, you can enter this transaction number in the corresponding field of the Wallet App and then access your user profile already created elsewhere at WebID when registering for the Wallet App. Before transferring your data to the Wallet app, we will send a TAN to the mobile phone number you have stored with WebID, which you must enter in the Wallet app for your authentication. After entering the transaction number, your data for registration in the Wallet app is automatically transferred, the Wallet app user profile is automatically filled in and stored locally on your end device. This involves the following data: Images of the front and back of the ID card or pages 1 and 2 of the passport and the information on them, first name and surname, date of birth, ID card number, expiry date, place of birth, place of residence. You can retrieve the data in the Wallet app if required.

Description of the process for initial registration using WebID AI Ident

To register for the first time, first enter your mobile phone number in the Wallet app. You will then receive a TAN, which you must enter for authentication purposes. The identification process then begins. To do this, you must  a portrait photo of yourself, photograph the front and back of your ID card or pages 1 and 2 of your passport and make this data available in the Wallet app. The ID card data and the portrait photo are subject to fully automated verification by WebID AI Ident. For details of this data processing, please refer to our general privacy policy, section 3.3.1 lit. c. Fully automated identification by WebID AI Ident can take place in different ways: Either your data is compared with your ID document or an additional check is carried out to determine whether it is a valid ID document; if necessary, a biometric comparison of the portrait photo you have taken with the photo on your ID document is also carried out. WebID only receives the result of the comparison, but no biometric data (see section 3.3.1 lit. f of the general privacy policy). After successful completion of the Web AI Ident and the creation of your user profile for the use of the Wallet App by WebID, you will receive a TAN to the mobile phone number you provided during the registration process. After you have entered the TAN in the Wallet App for authentication purposes, the data automatically stored in your user profile will be transferred by WebID to the Wallet App for the purpose of finalising the initial registration and the Wallet App user profile will be completed. Your above-mentioned data will then also be stored locally on your end device in your Wallet App user profile and can be accessed there if required

  • General use of the Wallet app

You are free to decide which documents you want to store in the Wallet app alongside your ID document. This can be the scan of your driving licence or the scan of the QR code of an e-prescription. The documents you upload when using the Wallet app and your Wallet app user profile are stored locally on your end device. WebID cannot access these.

The transmission of documents or data will only take place after your prior authorisation (e.g. by means of a TAN).

The Wallet app also allows you to generate your own QR codes. If you press the “QR code” button in the Wallet app, this is automatically generated via the WebID. You can make this QR code available to a company so that it can scan the QR code and then receive confirmation from the WebID that you have successfully identified yourself to the WebID. Companies must use the “WebID Business App” for the scan and can retrieve the confirmation either via this or via the “WebID Business Portal”. Both are access-protected. Before the requesting company receives the confirmation and the data stored in the Wallet App user profile from WebID, you must also actively authorise the transmission in the Wallet App by clicking on Request.

  • Vouchers

You can use the Wallet app to easily redeem vouchers at certain online shops or shops. WebID works together with its partner Sovendus GmbH, Hermann-Veit-Straße 6, 76135 Karlsruhe (“Sovendus”). To display and redeem the vouchers, you must enter your email address in the Wallet app and confirm this using a TAN. After successful authentication, the email address is first forwarded to Sovendus and Sovendus checks whether you have created a profile with Sovendus. If the check is successful, Sovendus forwards your data to the Sovendus voucher partners. Sovendus also transfers your vouchers to the Wallet app. You can then redeem the vouchers with the respective voucher partner. WebID does not archive the vouchers centrally.

  • Mini loans

As part of the WebID Wallet, WebID also offers the brokerage of loans (so-called “mini-loans”) under the “Finance” tab. WebID processes your personal data for the purpose of implementing the loan brokerage agreement concluded between you and WebID. This initially includes the data provided by you when registering for the WebID Wallet and information on the conclusion of the contract with WebID

As part of the brokerage of the mini loans, the personalised configuration of loan offers is also carried out, which are specifically tailored to your wishes and individual circumstances. This is based on the additional data you provide in the “Mini loans” form. When you submit the form, this data is passed on to the partner bank, which then takes further steps on its own responsibility, in particular providing you with further (mandatory) information, including on the desired loan, or deciding on your enquiry or concluding a loan agreement with you. Only the data required by the partner bank will be requested. If you do not provide the data in full, we will not be able to arrange a loan and you will have to contact the partner bank directly. After transmission to the partner bank, the data entered in the form will be deleted immediately by WebID, so that no further storage of this data by WebID takes place. The following personal data is requested:

  • Name
  • Nationality
  • Date of birth
  • Marital status
  • Number of children
  • Residence permit (type, expiry date and date of issue)
  • Current address
  • Housing situation
  • Rent
  • Resident since
  • Previous address
  • Professional group
  • Main income
  • Industry
  • Country of employment
  • Duration of employment
  • Intended use of the loan
  • IBAN
  • BIC
  • Duration of the account
  • Mobile phone number
  • e-mail address

The partner bank’s decision on your loan application also depends on your individual creditworthiness (“credit rating”). With your consent, which we obtain on behalf of the partner bank, it therefore also processes your personal data for the purpose of obtaining credit information and requests corresponding information from credit agencies. This has no effect on your score with these credit agencies. You can access the data protection information of our partner bank, further information on the handling of your data by them, as well as the list of credit agencies used by them and their data protection information here:

https://www.consorsfinanz.de/datenschutzerklaerung

www.consorsfinanz.de/datenschutz-auskunfteien

The legal basis for these transfers by the partner bank and their further processing is Art. 6 para. 1 lit. b), c) and f) GDPR and, if applicable, Art. 6 para. 1 lit. a) GDPR if you give your consent. In this context, you also release the partner banks from banking secrecy. If you do not give your consent to the transfer of your data to credit agencies or do not release the partner bank from banking secrecy, this may result in you having to contact the partner bank directly because we cannot place you or that this makes it difficult or impossible for the partner bank to assess your creditworthiness, which in turn may result in you being refused the loan by the partner bank.

Note on the automated credit decision

WebID does not carry out automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR.

Please note, however, that the partner bank may make automated decisions within the meaning of Art. 22 GDPR, which may lead to a rejection of your loan application. In such a case, you have the right to have the decision reviewed. Please contact the partner bank directly at . Further information can be found, for example, at https://www.consorsfinanz.de/datenschutz-scoring

  • Deletion of documents, etc.

You can delete the documents or vouchers stored locally in the Wallet app at any time, with the exception of your ID document. You can also delete or uninstall the Wallet app altogether at any time. This will also delete the data stored locally on your end device or the Wallet App user profile stored there.

Your ID document is also linked to your user profile stored by WebID as part of the identification process and can be deleted in accordance with the provisions set out in the general privacy policy https://webid-solutions.com/en/privacy-policy/. This applies accordingly to the user profile created as part of the identification process.

  • Legal basis

As part of the Wallet App, we initially process personal data that we have already collected  you either as part of an identification process or during initial registration. Once the Wallet app has been successfully installed on your end device, this data and the data collected when using the Wallet app will be processed in order to provide the (additional) service of using a digital wallet and the services offered in this context. In this respect, the legal bases for processing are

  • 6 para. 1 lit. b GDPR for the fulfilment of the contract and for the provision of services in connection with the Wallet app, such as the redemption of vouchers and the fulfilment of the loan brokerage contract for mini-loans;
  • 25 para. 2 no. 2 TDDDG for the technical provision of the Wallet App, as the processing of the above-mentioned data is absolutely necessary so that we can enable you to use the Wallet App as expressly requested by you;
  • the protection of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, our legitimate interest lies in being able to provide you with the Wallet app and its functions technically and securely.
    • Use of data by Apple/Google or other service providers

When using the Wallet app, it cannot be ruled out that Apple (if you use the app on an iOS device) or Google (if you use the app on an Android device) or other service providers may process your personal data. We have no influence on this data processing and are not responsible for it. Please refer to the privacy policies of Apple (https://www.apple.com/de/privacy/privacy-policy/) or Google (https://policies.google.com/privacy?hl=de) or the respective service provider.

  1. Data processing on the website (www.webid-wallet.de)

Our wallet website (www.webid-wallet.de) is for your information only and does not offer any other functions directly related to the wallet.

  • Informational use of the website

You can visit our website without providing any personal data. If you only use our website for information purposes, i.e. if you do not register or otherwise provide us with information about yourself, we do not process any personal data, with the exception of the data that your browser transmits to enable you to visit the website and information that is transmitted to us as part of the cookies used.

  • Provision of the website

For the purpose of the technical provision of the website, information is collected by our IT systems when you visit the website. This data is automatically recorded and stored in so-called server log files as soon as you enter our website. The following information is collected:

 

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Time of the server request
  • IP address
  • The previous website from which access is made.

This data is not merged with other data sources. The temporary storage of your IP address by our system is necessary to enable delivery of the website to your computer. For this purpose, the user’s IP address must be stored for the duration of the session.

The IP address is stored in the log files in order to ensure the functionality of our website. We also use this data to optimise the website and to ensure the security of our information technology systems (e.g. attack detection).

We process your personal data for the technical provision of our website on the basis of the following legal basis:

  • for the technical provision of our website in accordance with Section 25 (2) No. 2 TDDDG, as the processing of the above-mentioned data is absolutely necessary so that we can enable the use of our website expressly requested by you (i.e. also without or with cookies);
  • for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR, insofar as you visit our website to find out about our products;
  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to provide you with the website technically and securely.
    • Consent Manager

We use a Consent Manager on our website. The Consent Manager Provider of Jaohawi AB (Håltegelvägen 1b 72348 Västerås, Sweden) is a solution with which we obtain your consent to certain data processing requiring consent (e.g. analysis, tracking, etc.). By using it, we can inform you about the individual cookies and tools we use. You can use the Consent Manager to choose which cookies and tools you want to allow or reject individually or categorically. This enables you to make an informed decision about the transfer of your data and allows us to use cookies and tools in a transparent and documented manner that complies with data protection regulations.

The consent management provider processes your personal data in order to record your decision on the authorisation of cookies and tools and to save it for a return visit to our website. This includes the corresponding cookie with your consent decision as well as other usage data, such as your IP, the browser used, language and country, the website visited. In addition, the Consent Management Provider stores the following cookies:

  • “euconsent” – Consent string of the IAB CMP Framework. This contains information on whether/how you have consented to the processing of your data.
  • “eupubconsent” – Similar to “euconsent”, but with less information.
  • “__cmpconsent*” – Similar to “euconsent”.
  • “euconsent_backup” – Backup copy of the “euconsent” cookie
  • “__cmpcvc*”/”__cmpvendors”/”__cmpiab” – Information about the consent of providers.
  • “__cmpcpc*”/”__cmppurposes” – Information about the purpose of the consent.
  • “__cmpcc”/”__cmpccx” – This cookie contains only one number and is used to check whether your browser supports cookies.
  • “__cmpiuid” – A random text. The purpose of this cookie is to record the status of your consent.
  • “__cmpld” – Contains the date on which you were last shown the consent level.
  • “anna”/”annac” – Contains a number that is used to count visitors to the website.
  • “kmd” – When you log in to our system, we store the login information here.

 

Further information and the privacy policy of the Consent Management Provider can be found at: https://www.consentmanager.net/datenschutz/.

 

We process your personal data for the technical provision of our website on the basis of the following legal basis:

 

  • for the technical provision of consent management in accordance with Section 25 (2) No. 2 TDDDG, as the processing of the above-mentioned data is absolutely necessary so that we can enable you to use our website (with or without cookies) as expressly requested by you;
  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to be able to provide you with Consent Management technically,
  • to fulfil a legal obligation arising from the GDPR in accordance with Art. 6 para. 1 lit. c GDPR, which lies in the provision of the consent option and the documentation of your decision.
    • Google Tag Manager

We use Google Tag Manager on our website. Google Tag Manager is a solution with which we can manage cookies and website tags via an interface . The Google Tag Manager service itself (which implements the tags) is a cookie-less domain and only records your IP for the technically necessary playout of the cookies and similar tools you have selected. Otherwise, no personal data is processed via the Google Tag Manager. The Google Tag Manager triggers other tags, which in turn may collect data. The Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

We process your personal data on the following legal basis:

  • for the technical provision of tag management and the cookies you have expressly selected in accordance with Section 25 (2) No. 2 TDDDG.
    • Statistical analysis of website usage and increasing reach, advertising/marketing and tracking

When you visit our website, your surfing behaviour may be statistically evaluated. This is primarily done using cookies and so-called analysis programmes. This enables us to improve the quality of our website and its content. We learn how the website is used and can thus constantly optimise our offering. Detailed information on this can be found in the following explanations.

We process your personal data on the basis of the following legal bases:

  • with your consent in accordance with Section 25 (1) TDDDG with regard to the initial storage and reading of data;
  • with your consent in accordance with Art. 6 para. 1 lit. a GDPR for further data processing (e.g. provision of functionalities, analyses, tracking, optimisation, etc.)

You can revoke your consent via our Consent Manager at any time with effect for the future. You can access the Consent Manager from any page by clicking on the tick symbol in the bottom left-hand corner of the website and adjust your settings to withdraw your consent.

 

5.2.1 Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). Google Analytics uses cookies that enable your use of the website to be analysed. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. Google uses this information on our behalf to analyse your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Google Analytics is only integrated on the company website, but not on the web pages for identification processes or other of our services.

We have also activated Google Signals in Google Analytics. If you have activated personalised advertising in your Google account and are logged into your Google account, our Google Analytics statistics (advertising reports, information for remarketing, cross-device reports) are therefore expanded to include demographic characteristics and interests that Google records and sends to us in anonymised form. Google Signals can also be used to carry out remarketing to logged-in Google users.

Google carries out cross-device tracking so that your data is analysed across devices (e.g. when using your smartphone or laptop) and also uses the data for cross-device marketing. The data collected by Google is linked by Google to your Google account. This may include information about your interests and demographic characteristics, such as age, language, gender, place of residence, occupation, marital status or income, which Google collects directly or via partners.

IP anonymisation

We have activated the IP anonymisation function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser PlugIn

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

  • Google Ads

We use the online advertising programme “Google Ads” and conversion tracking as part of Google Ads. Google Conversion Tracking is an analysis service of Google Ireland Limited (“Google”), a company registered and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”, subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). When you click on an advert placed by Google, a cookie for conversion tracking is stored on your computer. These cookies lose their validity after 30 days, do not contain any personal data and are therefore not used for personal identification.

If you visit certain web pages on our website and the cookie has not yet expired, Google and we can recognise that you have clicked on the ad and have been redirected to this page. Each Google Ads customer receives a different cookie. It is therefore not possible for cookies to be tracked via the websites of Ads customers.

The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have opted for conversion tracking. This tells customers the total number of users who clicked on their advert, were redirected to a page with a conversion tracking tag and took part in a competition there, for example. However, they do not receive any information with which users can be personally identified.

You can prevent your data from being processed by Google Ads by

  • prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of our website to their full extent;

Further information and Google’s privacy policy can be found at: https://policies.google.com/privacy and www.google.com/policies/technologies/ads/

5.2.3 LinkedIn Insight Tags

This website uses the LinkedIn Insight tag. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

LinkedIn Insight Tag

We use the Insight tag from LinkedIn. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (subsidiary of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA), (hereinafter “LinkedIn”).

The LinkedIn Insight tag and the cookies used for this purpose enable the collection of data on visits to our website and are used to display advertising. LinkedIn Insight Tags enable targeted advertising on and outside this website without identifying you as a website user. LinkedIn initially collects log files (URL, referrer URL, IP address, device and browser characteristics and time of access). The data is only collected if you are registered with LinkedIn and are recognised as a LinkedIn member via log-in or cookies; this processing takes place on the systems of the LinkedIn provider. The IP addresses are truncated or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days, the remaining pseudonymised data is then deleted within 180 days (and after 90 days if anonymised data is processed).

When you visit our website, the actions you have performed on our website are reported to LinkedIn. This is used to analyse and optimise our online offering, in particular for retargeting, i.e. re-targeting advertising on other websites and assigning it to target groups. Among other things, we can analyse your key professional data (e.g. career level, company size, country, location, industry and job title) and thus better align our website with the respective target groups. We can also use LinkedIn Insight Tags to measure whether visitors to the website make use of our products (conversion measurement). Conversion measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also offers a retargeting function that allows us to display targeted advertising outside the website to visitors to . According to LinkedIn, no identification of the advertising addressee takes place.

LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised).

The data collected by LinkedIn cannot be assigned by us to specific individuals. However, LinkedIn may store the data on its servers in the USA and use it for its own advertising purposes. Details can be found in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.

As a user, you can decide yourself at any time whether to execute the Java Script code required for the tool via your browser settings by selecting change the settings in your Internet browser and deactivate or restrict the execution of Java Script and thus also prevent it from being saved. However, we would like to point out that you may then no longer be able to use all the functions of the website to their full extent.

If you are a LinkedIn member and do not want LinkedIn to collect data about you via our website and link it to your membership data stored on LinkedIn, you must log out of LinkedIn before visiting our website.

If consent has been obtained, the above-mentioned service is used exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 TDDDG.

LinkedIn also provides us with statistics and analyses about the use of our social media offerings. These do not contain any names or other information about individual users. This processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR; we have a legitimate interest in effective advertising measures using social media and in improving and analysing our social media activities. In this context, WebID and LinkedIn act as joint controllers within the meaning of Art. 26 GDPR and have concluded a joint controller agreement (see https://legal.linkedin.com/pages-joint-controller-addendum). In addition to our data protection officer (see section 2), you can also contact LinkedIn’s data protection officer. The contact details are available here: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.

  1. Newsletters, surveys, etc.

We use your e-mail address to send you advertising about other of our products and services if you have provided it to us in connection with the use of our services (e.g. the creation of a user profile as part of the identification procedures already communicated by WebID in the past).

Processing for these purposes takes place on the following legal basis:

  • To safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. § Section 7 (3) UWG for the purposes of electronic direct marketing. Our legitimate interest lies in providing you with information about similar WebID products and services that may be of interest to you and in our economic interest in carrying out advertising measures.

Right to object: WebID will use your e-mail address for these purposes as long as you have not objected to its use. You can either send a message to the contact option described below or object via a link provided for this purpose in the newsletter e-mail without incurring any costs other than the transmission costs according to the basic tariffs.

Our service provider Hubspot (Hubspot Inc., USA with a branch in Ireland; contact: HubSpot, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland) also collects, compiles and uses statistics and tracking data on our behalf when sending newsletters (e.g. read confirmations, interaction with links, opened/not opened with date/time of first opening and number of openings, country of opening and device used, unsubscribes, bounces (indication of non-delivery). Evaluating and analysing this data helps us to avoid sending you advertising indiscriminately. Instead, we send you advertising, such as newsletters or product recommendations, which correspond to your areas of interest. In this respect, for example, we also compare which of our advertising e-mails you open in order to avoid sending you unnecessary e-mails. We would also like to provide you with information that is relevant to you. By tracking opening and click rates, we can better recognise which content is of interest to you.

We also use the program of CleverReach GmbH & Co KG, Schafjückenweg 2 in 26180 Rastede, Germany, to send newsletters and to create anonymised statistical reports in this context (e.g. delivery success, click or bounce rates) and to manage the unsubscription of newsletters. CleverReach GmbH & Co KG acts as a processor.

We process your data for these purposes on the following legal basis:

  • Insofar as we record and analyse your response to our emails to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR; our legitimate interest is our economic interest in the implementation of advertising measures and target group-oriented advertising, analysing your response to our communication and optimising the communication in order to constantly adapt its quality and content and thus our marketing to your preferences and thus be able to send you more suitable communication.

 

  1. Compliance with legal regulations

We also process your personal data in order to fulfil other legal obligations. These may apply to us in connection with the fulfilment of contracts and/or (business) communication. These include, in particular, retention periods under commercial, trade or tax law.

We process your personal data on the basis of the following legal basis:

  • to fulfil a legal obligation to which we are subject in accordance with Art. 6 para. 1 lit. c GDPR in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.
  1. Law enforcement

We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary for the defence against or prosecution of criminal offences.

We process your personal data for this purpose on the basis of the following legal basis:

  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or prevent or investigate criminal offences.
  1. Company sale/merger, etc.

We may process your personal data in order to complete a (partial) sale of the company or a merger (or similar processes such as takeover in the context of liquidation, insolvency, dissolution, etc.) with another company. In the event that another company acquires or intends to acquire the assets/capital, which may include your personal data, from us or we carry out or seek to carry out a merger with another company, we may have to grant this company access to your personal data stored by us or transfer it for the purpose of examining and implementing the company sale/merger (e.g. to determine the value of the company, business risks, etc.).

We process your personal data on the basis of the following legal basis:

  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to plan and implement a planned company sale or a planned merger.
  1. Categories of recipients

Within WebID, only those departments that require the data to fulfil our contractual and legal obligations will have access to it.

We also share your personal data with other recipients where this is permitted or required by law. Some of these recipients provide services for us in connection with the Wallet app, our website (agency for sending email newsletters) or our services (e.g. IT service providers or cloud service operators), while others act independently (e.g. cooperation partners in the context of providing vouchers, partner banks to which we broker loans, companies that request confirmation of your identity from us, service providers, law enforcement authorities or tax authorities). We limit the disclosure of your personal data to what is necessary, in particular to enable us to provide our services.

If our service providers receive your personal data as processors, they are strictly bound by our instructions when handling your personal data.

  1. Third country transfer

As a matter of principle, we do not transfer your personal data to countries outside the EU or the EEA (“third countries”) or to international organisations.

When transferring data to third countries, we ensure that a level of data protection within the meaning of Art. 44 et seq. GDPR is complied with.

If service providers are used in a third country and we can influence this, they may be obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing the EU standard data protection clauses. Alternatively, we transfer the data on the basis of the Binding Corporate Rules or an adequacy decision. When using the tools Google Analytics, LinkedIn InSight Tags and Google Ads, this applies, for example, to the transfer of your IP address or shortened IP address to third countries, including the USA. For further information, please contact our data protection officer.

Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

  1. Duration of data storage

Your personal data will be deleted as soon as it is no longer required for the stated purposes. In addition, personal data will be stored as long as WebID is legally obliged or authorised to do so. Log files in the Wallet app are usually deleted after 50 days

If we process your data as part of a contractual relationship, we will store your personal data for the duration of our business relationship, for example. This also includes the initiation of a contract (pre-contractual legal relationship) and the fulfilment of a contract.

In addition, we then store your personal data until the limitation period for any legal claims arising from the relationship with you has expired, in order to use it as evidence if necessary. The limitation period is usually between 1 and 3 years, but can also be up to 30 years.

We delete your personal data when the statute of limitations expires, unless there is a statutory retention obligation, for example from the German Commercial Code (Sections 238, 257 (4) HGB) or from the German Fiscal Code (Section 147 (3), (4) AO). These retention obligations can last from two to ten years.

If you use our website purely for information purposes, we store your personal data on our servers exclusively for the duration of your visit to our website. After you have left our website and closed your browser, your personal data will be deleted immediately

The session cookies are deleted when you close the browser.

Cookies installed by us on the basis of your consent are deleted after a storage period of up to 14 months. With regard to Google cookies, the storage period may be reset to the specified duration in the event of further actions. If a cookie is used to recognise you, you can delete it yourself at any time via your browser settings.

With regard to the LinkedIn Insight Tag, the direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days (and after 90 days if anonymised data is processed) .

  1. Note on the right of objection

If the processing of your personal data is based on a legitimate interest, Art. 6 para. 1 lit. f GDPR, you can object to this processing at any time if there are reasons for this arising from your particular situation. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.

We will no longer process your data for direct marketing purposes if you object to processing for these purposes.

The objection can be made informally and should be sent to the following address if possible: datenschutz@webid-solutions.de

  1. Your rights under the GDPR

In addition to the above-mentioned rights to withdraw consent and to object to data processing, you have the following rights vis-à-vis us as the controller with regard to your personal data in accordance with the provisions of the GDPR:

  • Right to information in accordance with Art. 15 GDPR: You are entitled to request confirmation from us at any time within the framework of Art. 15 GDPR as to whether we process personal data concerning you; if this is the case, you are also entitled within the framework of Art. 15 GDPR to receive information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, your rights, the origin of the data, the use of automated decision-making and, in the case of third country transfer, the appropriate guarantees) and a copy of your data.
  • Right to rectification in accordance with Art. 16 GDPR: In accordance with Art. 16 GDPR, you are entitled to demand that we rectify the personal data stored about you if it is inaccurate or incorrect
  • Right to restriction of processing in accordance with Art. 18 GDPR: You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.
  • Right to erasure in accordance with Art. 17 GDPR: You are entitled, under the conditions of Art. 17 GDPR, to demand that we erase personal data concerning you without undue delay. The right to erasure does not exist, among other things, if the processing of personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) to fulfil a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) for the assertion, exercise or defence of legal claims.
  • Right to data portability in accordance with Art. 20 GDPR: You are entitled, under the conditions of Art. 20 GDPR, to request that we provide you with the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format.
  • Right to object in accordance with Art. 21 GDPR: For reasons arising from your particular situation, you can also object to the processing of your personal data by us at any time (Art. 21 GDPR). If the legal requirements are met, we will then no longer process your personal data.
  • Right to revoke the declaration of consent under data protection law: You have the right to revoke your consent at any time. The revocation is only effective for the future; this means that the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Please note that you can manage the data stored locally on your end device yourself. WebID does not have access to it and you must therefore act independently with regard to correction or deletion.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority. The competent data protection supervisory authority is

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59-61

10555 Berlin.

  1. Obligation to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our app or website available to you, answer your enquiries to us or provide our services to you. Personal data that we absolutely need for the above-mentioned processing purposes is marked with an “*” or another symbol.

  1. Automated decision-making / profiling

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).

When using WebID AI Ident, however, the ID documents are checked in the background by software supported by artificial intelligence, which checks both the authenticity of the ID documents using various security features, and whether the photo on the ID documents matches the photo taken during the identification process. In the event of anomalies and to check that the software is working correctly, trained service staff can be called in to check individual identification processes.

In accordance with Art. 22 (3) GDPR, you have the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision if automated decision-making is used. These rights must be asserted vis-à-vis WebID.

Should we use further such procedures in individual cases, we will inform you accordingly.

  1. Changes

We amend this privacy policy from time to time, e.g. in the event of changes to data processing or legal requirements. Therefore, please check this privacy policy regularly to see the latest version.

 

Status: October 2025