Skip to main content
WebID

Privacy Policy

The following privacy policy is intended to inform you in accordance with Articles 12, 13 and 21 of the General Data Protection Regulation (GDPR) about the processing of your personal data (hereinafter referred to as “data”) that is processed by WebID Solutions GmbH (“WebID”) in connection with the use of this website, the mobile apps (hereinafter collectively referred to as the “website”) and the WebID services.
Your data is processed in compliance with the relevant data protection regulations, in particular the provisions of the GDPR and the German Federal Data Protection Act (BDSG).

1. Responsible person

The controller within the meaning of the GDPR is
WebID Solutions GmbH, Friedrichstraße 88, 10117 Berlin
E-mail address: service@webid-solutions.de

2. Data protection officer

You can contact our external data protection officer as follows
Silvia C. Bauer
WebID Solutions GmbH, Data Protection Officer
Friedrichstraße 88, 10117 Berlin
E-Mail: datenschutz@webid-solutions.de

3. Purposes and legal bases of data processing

3.1 Processing of data when using apps

When downloading mobile apps, the necessary information is transmitted to the App Store, in particular your user name, your email address and the customer number of your account, the time of the download, payment information if applicable and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading the mobile app to your mobile device and in this context, to the extent necessary for the use of the app, on the basis of Art. 6 para. 1 lit. b, f GDPR and § 25 para. 2 no. 2 TDDDG. For further information on data protection, please refer to the data protection information of the respective app.

3.2 Informational use of the website

You can visit our website without providing any personal data. If you only use our website for information purposes, i.e. if you do not register or otherwise provide us with information about yourself, we do not process any personal data, with the exception of the data that your browser transmits to enable you to visit the website and information that is transmitted to us as part of the cookies used.

3.2.1 Provision of the website

For the purpose of the technical provision of the website, information is collected by our IT systems when you visit the website. This data is automatically recorded and stored in so-called server log files as soon as you enter our website. The following information is collected:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Time of the server request
  • IP address
  • The previous website from which access is made.

This data is not merged with other data sources. The temporary storage of your IP address by our system is necessary to enable delivery of the website to your computer. For this purpose, the user’s IP address must be stored for the duration of the session.

The IP address is stored in the log files in order to ensure the functionality of our website. We also use this data to optimise the website and to ensure the security of our information technology systems (e.g. attack detection).

We process your personal data for the technical provision of our website on the basis of the following legal basis:

  • for the technical provision of our website in accordance with Section 25 (2) No. 2 TDDDG, as the processing of the above-mentioned data is absolutely necessary so that we can enable the use of our website expressly requested by you (i.e. also without or with cookies);
  • for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR, insofar as you visit our website to find out about our products;
  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to provide you with the website technically and securely.

3.2.2 Consent Manager

We use a Consent Manager on our website. The Consent Manager Provider of Jaohawi AB (Håltegelvägen 1b, 72348 Västerås, Sweden) is a solution with which we obtain your consent to certain data processing requiring consent (e.g. analysis, tracking, etc.). By using it, we can inform you about the individual cookies and tools we use. You can use the Consent Manager to choose which cookies and tools you want to allow or reject individually or categorically. This enables you to make an informed decision about the transfer of your data and allows us to use cookies and tools in a transparent and documented manner that complies with data protection regulations.

The consent management provider processes your personal data in order to record your decision on the authorisation of cookies and tools and to save it for a return visit to our website. This includes the corresponding cookie with your consent decision as well as other usage data, such as your IP, the browser used, language and country, the website visited. In addition, the Consent Management Provider stores the following cookies:

  • “euconsent” – Consent string of the IAB CMP Framework. This contains information on whether/how you have consented to the processing of your data.
  • “eupubconsent” – Similar to “euconsent”, but with less information.
  • “__cmpconsent*” – Similar to “euconsent”.
  • “euconsent_backup” – Backup copy of the “euconsent” cookie
  • “__cmpcvc*”/”__cmpvendors”/”__cmpiab” – Information about the consent of providers.
  • “__cmpcpc*”/”__cmppurposes” – Information about the purpose of the consent.
  • “__cmpcc”/”__cmpccx” – This cookie contains only one number and is used to check whether your browser supports cookies.
  • “__cmpiuid” – A random text. The purpose of this cookie is to record the status of your consent.
  • “__cmpld” – Contains the date on which you were last shown the consent level.
  • “anna”/”annac” – Contains a number that is used to count visitors to the website.
  • “kmd” – When you log in to our system, we store the login information here.

Further information and the privacy policy of the Consent Management Provider can be found at: https://www.consentmanager.net/datenschutz/.

We process your personal data for the technical provision of our website on the basis of the following legal basis:

  • for the technical provision of consent management in accordance with Section 25 (2) No. 2 TGGGG, as the processing of the above-mentioned data is absolutely necessary so that we can enable you to use our website without or with cookies) as expressly requested by you;
  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to make the website technically available to you
  • to fulfil a legal obligation arising from the GDPR pursuant to Art. 6 para. 1 lit. c GDPR, which lies in the provision of the consent option and the documentation of your decision.

3.2.3 Statistical analysis of the use of the website and tracking

When you visit our website, your surfing behaviour may be statistically evaluated. This is primarily done using cookies and so-called analysis programmes. This enables us to improve the quality of our website and its content. We learn how the website is used and can thus constantly optimise our offering. Detailed information on this can be found in the following explanations.

We process your personal data on the basis of the following legal bases:

  • with your consent in accordance with Section 25 (1) TDDDG with regard to the initial storage and reading of data;
  • with your consent in accordance with Art. 6 para. 1 lit. a GDPR for further data processing (e.g. provision of functionalities, analyses, tracking, optimisation, etc.).

You can revoke your consent via our Consent Manager at any time with effect for the future. You can access the Consent Manager from any page by clicking on the tick symbol in the bottom left-hand corner of the website and adjust your settings to withdraw your consent. If other legal bases come into consideration, these are listed below.

3.2.3.1 Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). Google Analytics uses cookies to analyse your use of the website and to track your visit to other websites or the websites you have previously visited. The information generated by the cookie about your use of this website (IP address, login status, postcode, last login, registration date, user ID and registration source) is usually transferred to a Google server in the USA and stored there. Google uses this information on our behalf to analyse your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Google Analytics is only integrated on the company website, but not on the web pages for identification processes or other of our services.

We have also activated Google Signals in Google Analytics. If you have activated personalised advertising in your Google account and are logged into your Google account, our Google Analytics statistics (advertising reports, information for remarketing, cross-device reports) are therefore expanded to include demographic characteristics and interests that Google records and sends to us in anonymised form. Google Signals can also be used to carry out remarketing to logged-in Google users.

Google carries out cross-device tracking so that your data is analysed across devices (e.g. when using your smartphone or laptop) and also uses the data for cross-device marketing. The data collected by Google is linked by Google to your Google account. This may include information about your interests and demographic characteristics, such as age, language, gender, place of residence, occupation, marital status or income, which Google collects directly or via partners.

IP anonymisation

We have activated the IP anonymisation function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

We only use Google Analytics with your consent. Once you have given your consent, you can withdraw it by

  • use the button at the bottom of this website for your cookie settings,
  • prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent,
  • download and install the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de or click on this link to prevent Google Analytics from collecting data on our website in the future. This will place an opt-out cookie on your device. Please note that you must activate the opt-out cookie in every browser you use on all your end devices and, if necessary, reactivate it if you delete all cookies in a browser.

You can find more information on the terms of use and data protection of Google Analytics at http://www.google.com/analytics/terms/de.html, https://support.google.com/analytics/answer/6004245?hl=de and https://policies.google.com/privacy?hl=de.

3.2.3.2 Google Ads, Google Ads Conversion Tracking, Google Ads Enhanced Conversions

We use the online advertising programme “Google Ads” and conversion tracking as part of Google Ads. Google Conversion Tracking is an analytics service provided by Google Ireland Limited (“Google”), a company incorporated and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”, subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). When you click on an advert placed by Google, a cookie for conversion tracking is stored on your computer. These cookies lose their validity after 30 days, do not contain any personal data and are therefore not used for personal identification.

If you visit certain pages of our website and the cookie has not yet expired , Google and we can recognise that you have clicked on the ad and have been redirected to this page. Each Google Ads customer receives a different cookie. It is therefore not possible for cookies to be tracked via the websites of Ads customers.

The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have opted for conversion tracking. This tells customers the total number of users who clicked on their advert, were redirected to a page with a conversion tracking tag and took part in a competition there, for example. However, they do not receive any information with which users can be personally identified.

We also use Google Enhanced Conversions. This is a function that can be to improve used the accuracy of conversion tracking compared to simple Google Conversion Tracking (see previous section).

For the use of Google Ads Enhanced Conversions, encrypted user data (e.g. names, email addresses, addresses, customer-specific identifiers) is forwarded to Google. Your user data is converted SHA256) character string into a hashed to Googleand pseudonymised (so-called before is forwarded  and then used to improve conversion measurement. This allows to Google compare whether the transmitted user data matches existing Google customers. Based on this information, the corresponding Google  users can be assigned toaccounts in which users were logged in when they with one of interacted adverts. our This enables us, for example, to measure even conversions if the cookies set by Google have already expired. We receive from Google only statistical analyses to measure the success of our advertising material. We within the scope of these statistical analyses. cannot any reference to establish users individual

You can prevent your data from being processed by Google Ads by

  • prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of our website to their full extent;

Further information and Google’s privacy policy can be found at: https://policies.google.com/privacy and www.google.com/policies/technologies/ads/

3.2.3.3 Google Tag Manager

We use Google Tag Manager from Google on our website. Google Tag Manager is a solution that allows marketers to manage website tags via an interface. The Google Tag Manager service itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The Google Tag Manager service triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

3.2.3.4 LinkedIn Insight tags

We use the Insight tag from LinkedIn. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (subsidiary of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA), (hereinafter “LinkedIn”).

The LinkedIn Insight tag and the cookies used for this purpose enable the collection of data on visits to our website and are used to display advertising. LinkedIn Insight Tags enable targeted advertising on and outside this website without identifying you as a website user. LinkedIn initially collects log files (URL, referrer URL, IP address, device and browser characteristics and time of access). The data is only collected if you are registered with LinkedIn and are recognised as a LinkedIn member via log-in or cookies; this processing takes place on the systems of the LinkedIn provider. The IP addresses are truncated or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised).

When you visit our website, the actions you have performed on our website are reported to LinkedIn. This is used to analyse and optimise our online offering, in particular for retargeting, i.e. re-targeting advertising on other websites and assigning it to target groups. Among other things, we can analyse your key professional data (e.g. career level, company size, country, location, industry and job title) and thus better align our website with the respective target groups. We can also use LinkedIn Insight Tags to measure whether visitors to the website make use of our products (conversion measurement). Conversion measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also offers a retargeting function that allows us to display targeted advertising to visitors to our website outside the website. According to LinkedIn, no identification of the advertising addressee takes place.

LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised).

The data collected by LinkedIn cannot be assigned by us to specific individuals. However, LinkedIn may store the data on its servers in the USA and use it for its own advertising purposes. Details can be found in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.

As a user, you can decide yourself at any time whether to execute the Java Script code required for the tool via your browser settings by selecting

  • change the settings in your Internet browser and deactivate or restrict the execution of Java Script and thus also prevent it from being saved. However, we would like to point out that you may then no longer be able to use all the functions of the website to their full extent.

If you are a LinkedIn member and do not want LinkedIn to collect data about you via our website and link it to your membership data stored on LinkedIn, you must log out of LinkedIn before visiting our website.

If consent has been obtained, the above-mentioned service is used exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 TGGGG.

LinkedIn also provides us with statistics and analyses about the use of our social media offerings. These do not contain any names or other information about individual users. This processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR; we have a legitimate interest in effective advertising measures using social media and in improving and analysing our social media activities. In this context , WebID and LinkedIn act as joint controllers within the meaning of Art. 26 GDPR and have concluded a joint controller agreement (see https://legal.linkedin.com/pages-joint-controller-addendum). In addition to our data protection officer (see section 2), you can also contact LinkedIn’s data protection officer. The contact details are available here: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.

3.2.3.5 Hubspot

This website also uses Hubspot for our marketing activities, a service of Hubspot Inc. 25 Street, Cambridge, MA 02141 USA (with a branch in Ireland; contact: HubSpot, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland, telephone: +353 1 5187500). Hubspot uses cookies to analyse your use of the website. The information collected by the cookies about the use of the website is usually transmitted to a Hubspot server and stored there. You can find more information about HubSpot at: https://legal.hubspot.com/legal-stuff.

Hubspot collects, among other things, your IP address, geographical location, browser type, duration of the visit and the pages accessed.

Hubspot processes this data on our behalf to analyse your use of the website, to compile reports on website activity and to provide us with other services relating to website activity, marketing and internet usage. If you register with us, e.g. to receive a newsletter, your website activities may be linked to the data you provided during registration in order to provide you with targeted information, for example.

We only use Hubspot with your consent; this includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. You can also revoke any consent you have given

  • prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of our website to their full extent;

Further information on how Hubspot works can be found in the Hubspot Inc. privacy policy, available at: http://legal.hubspot.com/de/privacy-policy.

3.2.3.6 SalesViewer

We use the SalesViewer service provided by SalesViewer GmbH, Huestraße 30, 44787 Bochum, Germany, to analyse the behaviour of visitors to our website. SalesViewer enables us to analyse information about the use of our website for marketing purposes and to optimise and improve our online offering. When using SalesViewer, the data listed in section 3.2.1 and information about the respective interaction with the website are processed. The IP addresses are encrypted using a non-reversible one-way function (hashing), directly pseudonymised and not used to identify visitors to the website

The processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR; we have a legitimate interest in effective advertising measures using corresponding services or for the optimisation and analysis of our website. If you do not want your data to be collected by SalesViewer, you can

  • prevent this by setting an opt-out cookie at the following link https://www.salesviewer.com/de/opt-out/. The opt-out cookie is stored on your device. If you delete your cookies in your browser, you must click the link again.

Further information on SalesViewer can be found in the data protection provisions of SalesViewer GmbH, available at: https://www.salesviewer.com/de/datenschutzerklaerung/. SalesViewer GmbH is used as a commissioned data processor.

3.3 Active use of the website

In addition to the purely informational use of our website, you can also actively use our website to make use of our WebID products, such as secure online identification, identity verification with artificial intelligence and biometrics without the involvement of a human employee (“WebID AutoID”) or digital contract signing, to create a permanent user profile, to register for our newsletter or to contact us. In addition to the processing of your personal data described above for purely informational use, we also process other personal data from you that we need to provide the respective services and respond to your enquiries.

3.3.1 Verification and confirmation of identity identification methods

The processing of your data by WebID in connection with the verification and confirmation of identity, a documented declaration, is carried out on behalf of the respective partner company of WebID, such as a bank, a telecommunications company or an insurance company, at whose request the verification is carried out (“Partner”)

Your data will be processed exclusively for the purpose of verifying your identity, your declaration and confirming it to the respective partner.

For this purpose, we process the data that you provide to us as part of your use of the respective WebID service as well as any data that the respective partner makes available to us for the purpose of comparison with the data you have provided to us. The prerequisite for processing is the creation of a user profile (see section 3.3.3), in which your data is recorded and by means of which we are given the opportunity to communicate with you for the purposes of the respective identification method, e.g. by e-mail and SMS, in order to send you the transaction number (TAN) for the successful completion of the respective identification.

The scope of the processing of this data and the legal basis for this processing depends on the intended or existing contractual relationship between you and the partner as well as the legal requirements that demand proof of identity in individual cases. Depending on the legal basis for proof of identity, may also require proof of the existence of a valid, official identification document (e.g. identity card or passport).

In addition, WebID provides partners with data as part of the TrueID product, which it processes either as their processor or as its own controller (see section 3.3.1.f and section 3.3.3.).

As a rule, the following data is processed as part of the following processes, whereby the exact scope of this data or the processing depends on the respective identification method:

3.3.1.a. for all identification methods:

  • Surname, first name
  • Place of birth
  • Date of birth
  • Nationality
  • Full address
  • Mobile phone number
  • E-mail address
  • User name of the video conferencing programme used
  • Photo/screenshot of the person and the front and back of the ID document
  • ID card data (such as date and place of issue, issuing authority, etc.)

3.3.1.b. WebID VideoID

For identification using WebID VideoID, the following data is processed in addition to the data listed in section 3.3.1.a:

  • User name of the video conferencing programme used
  • Video and audio recording of the video call

3.3.1.c. WebID AutoID

For identification using WebID AutoID Ident, you create a portrait photo of yourself after collecting the data mentioned in point 3.3.1.a.. The data transmitted by the partner, the ID card data and the portrait photo are subject to fully automatic verification by WebID AutoID. Depending on the partner’s model, the fully automatic identification by WebID AutoID can proceed in different ways. Either your data is compared with your ID document or an additional check is carried out to determine whether it is a valid ID document; if necessary, a biometric comparison of the portrait photo with the photo on your ID document is also carried out. When WebID AutoID is used, the photos created are checked in the background by software supported by artificial intelligence, which checks both the authenticity of the ID documents using various security features and whether the photo on the ID documents matches the photo created during the identification process. In the event of anomalies and to check that the software is working correctly, trained service staff can be called in to check individual identification processes. The results of the identification are automatically transmitted to the partner after the check. For further information on the handling of your biometric data and your alternatives if you do not wish this data to be processed, please refer to section 3.3.1.g.. To use WebID AutoID, you first fill out a form (usually on the partner’s website), accept WebID’s terms and conditions and receive this data protection information. You will then be forwarded to us by the partner.

3.3.1.d. WebID AccountID

For identification using WebID AccountID, a fully automated identity check is carried out first. For this purpose, the data described in more detail in section 3.3.1.c (WebID AutoID) is processed and the processes mentioned there are carried out. In the next step, you log in to your bank’s online banking with your access data. In order to use WebID AccountID, you must grant secure access to the information stored in your bank account via the digital PSD2 or online banking interface. This serves the purpose of proving your data collected in this way and the existence of your bank account. As part of a legally required reference transfer, a small amount (e.g. 1 cent) is transferred from your bank account to a WebID verification account. This transfer will be executed by your bank. You irrevocably agree that your bank will execute this transfer order to a WebID verification account. This process is usually embedded with the partner for whom we work and is based on Art. 6 para. 1 lit. a, b and c GDPR in conjunction with Art. 28 GDPR. Art. 28 GDPR. Alternative procedures are regularly available to you, which do not require access to the data stored in your bank account along with the reference transfer.

3.3.1.e. WebID eID (online ID function)

For identification using WebID eID, you need the My WebID app, which you must have downloaded on your smartphone. If you decide to use it and identify yourself using WebID eID, you will be redirected to the app. There you can use the online ID function WebID eID, which we use to carry out an identity check for our partner. To do this, you must have activated the online function of your ID card and have a smartphone with an activated NFC function ready so that a connection can be established between your ID card and the smartphone. You start the identification process by entering the displayed transaction number. By entering your personal 6-digit PIN from your ID card, you initiate the transmission of the required data using end-to-end encryption by reading the NFC chip and authorise this transmission. WebID checks the transmitted data and finalises the identification accordingly. By using the My WebID app, it is not necessary to load the ID card app. WebID eID service providers authorised in accordance with Section 21b PAuswG, such as D-Trust or MTG, which have received an authorisation certificate from the Federal Office of Administration for reading the corresponding ID card data

3.3.1.f. WebID TrueID

WebID TrueID makes future identifications easier for you and WebID’s partners.

WebID processes the data listed in section 3.3.1.a and b. on behalf of the partners in accordance with the legal requirements for money laundering and, with their consent, makes this data available to other partners as a messenger in the context of identifications.

Alternatively, within the framework of TrueID, WebID can process your data stored in the WebID user profile database under your user profile (see section 3.3.) for its own purposes, such as carrying out future identifications of users. In a first step, WebID partners can ask WebID via a technical service provider whether the user profile of one of their customers is stored by WebID at all or with what probability. To do this, the partner transmits the name and address of their customer to WebID. WebID automatically compares this information with the user profiles it has stored. It calculates a mathematical probability value which determines the probability of a user profile being stored with it. The partner then receives this value without any further personal data and can decide for itself on the basis of the probability value whether, for example, it wishes to commission WebID to identify its customer. If the partner commissions WebID, you as the customer will be informed of the identification requested by the partner by WebID automatically sending you a TAN to the mobile phone number you have provided. You can then give WebID your consent to identification by WebID by entering the TAN in a screen provided for this purpose. Once you have given your consent, WebID will carry out the desired identification

3.3.1.g. Processing of biometric data

When using automated products as part of the identification process, a biometric data comparison is made between the photo taken and the photo of your ID document (position data of the face) so that fraud attempts, such as identity theft, can be better recognised. The measurement data collected in the process is only processed for the purposes of the comparison. The measurement data is not stored. Only the result of the comparison is stored. This does not contain any biometric data, only the information that the data comparison was successful.

The data is processed by the following subcontractors:

Amazon Web Services Luxembourg Sàrl, 38 avenue John F. Kennedy, L-1855, Luxembourg; BioID AG, Brünigstrasse 95, 6072 Sachseln, Switzerland.

If you wish to avoid the processing of biometric data, you can – if offered by your contractual partner (our partner) – use other identification methods as an alternative. If these are not offered, please contact the partner directly.

3.3.1.h. Further process and legal basis

If we have established and verified your identity, we will transmit the data collected to the partner. Depending on the design of the identification method, you may receive a message about the result of the identification by e-mail. If, at your request, the verification of your identity has been forwarded by us or a sales partner of the partner via a sales partner, the sales partner will only receive a success message regarding the verification status.

When performing TrueID via WebID using the WebID user profile inventory, the partner receives a success message on the verification status after you have given your consent and the identification was successful.

The partner will process the transmitted data to fulfil its obligations under money laundering law or other identification obligations, as well as its rights and obligations arising from the contractual relationship between the partner and you

The processing of your personal data takes place (in addition to the legal bases specified above under Section 3.3.1 a-g), in each case on the following legal bases:

  • as part of the respective contractual relationship with our respective partner, Art. 28 GDPR;
  • for the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR;
  • to fulfil a legal obligation to which the partner is subject pursuant to Art. 6 para. 1 lit. c GDPR;
  • if you have given us your consent, in accordance with Art. 6 para. 1 lit. a GDPR.

3.3.2 Digital contract signing

You can also use our services to conclude digital contracts with our partners. Following the above video legitimisation or an equivalent legitimisation and after viewing the respective contract, you can digitally sign your contractual partner’s contract using a certificate.

We process the data listed under section 3.3.1.a. for the purposes of identification and digital contract signing. The processing is carried out for contractual purposes, Art. 6 para. 1 lit. b GDPR and is also based on the legal requirements that must be observed in individual cases in the context of the digital signing of contracts, such as the eIDAS Regulation.

3.3.3 Processing for the purposes of the “My WebID” user profile

Our services for you also include the creation of a user profile.

We process the data collected by us as part of the identification methods described above or the digital signing of the contract (see sections 3.3.1 and 3.3.2) as well as the transaction number linked to your user profile. This does not include biometric data, which we do not store (see section 3.3.1.f).

We use this data in this context as the controller for the purpose of enabling you to provide future proof of identity to our existing and future partners or to enable you to provide future digital signatures.

The creation of your user profile and the processing of the data listed above for WebID’s own purposes is carried out in accordance with Art. 6 para. 1 lit. b GDPR and, if applicable, a declaration of consent, Art. 6 para. 1 lit. a GDPR.

3.3.4 Enquiries

In order to be able to process and respond to your enquiries to us, e.g. via the contact form or to our e-mail address, we process the data you provide in this context. This includes your name, age and e-mail address in order to send you a reply, as well as any other information that you send us as part of your message.

We process your data to respond to your enquiries on the following legal basis:

  • If you contact us in the context of a contract to which you are a party or for the implementation of pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b GDPR.
  • To safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in the appropriate response to customer enquiries.

3.3.5 Newsletter, surveys, etc.

With your consent, we will use your data for advertising purposes, such as sending you one of our newsletters, contacting you by telephone or for advertising surveys. We only collect the data required in each case, such as your e-mail address. As part of the registration process, you will receive an e-mail from us with a confirmation link with which you can confirm your identity (double opt-in). Your registration is not complete until you confirm the link.

Our service provider Hubspot (Hubspot Inc., USA with a branch in Ireland; contact: HubSpot, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland ) also collects, compiles and uses statistics and tracking data on our behalf when sending newsletters (e.g. read confirmations, interaction with links, opened/not opened with date/time of first opening and number of openings, country of opening and device used, unsubscriptions, bounces (indication of non-delivery). Evaluating and analysing this data helps us to avoid sending you advertising indiscriminately. Instead, we send you advertising, such as newsletters or product recommendations, which correspond to your areas of interest. In this respect, for example, we also compare which of our advertising e-mails you open in order to avoid sending you unnecessary e-mails. We would also like to provide you with information that is relevant to you. By tracking opening and click rates, we can better recognise which content is of interest to you.

We also use the program of CleverReach GmbH & Co KG, Schafjückenweg 2 in 26180 Rastede, Germany, to send newsletters and to create anonymised statistical reports in this context (e.g. delivery success, click or bounce rates) and to manage the unsubscription of newsletters. CleverReach GmbH & Co KG acts as a processor.

We process your data for these purposes on the following legal basis:

  • If you have given us your consent, in accordance with Art. 6 para. 1 lit. a GDPR;
  • Insofar as we record and analyse your response to our emails to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR; our legitimate interest is our economic interest in the implementation of advertising measures and target group-oriented advertising, analysing your response to our communication and optimising the communication in order to constantly adapt its quality and content and thus our marketing to your preferences and thus be able to send you more suitable communication.

We also use your e-mail address to send you advertising about other of our products and services if you have provided us with this information in connection with the use of our services (e.g. the creation of a user profile as part of the identification process).

Processing for these purposes takes place on the following legal basis:

  • To safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. § Section 7 (3) UWG for the purposes of electronic direct marketing. Our legitimate interest lies in providing you with information about similar WebID products and services that may be of interest to you and in our economic interest in carrying out advertising measures.

Right to object: WebID will use your e-mail address for these purposes as long as you have not objected to its use. You can either send a message to the contact option described below or object via a link provided for this purpose in the newsletter e-mail without incurring any costs other than the transmission costs according to the basic tariffs

3.3.6 LinkedIn Sales Navigator

We actively use our social media presence on business-oriented platforms such as LinkedIn and associated tools such as the LinkedIn Sales Navigator to communicate with, approach, initiate, manage and expand our business contacts and leads. We also use the tool to find suitable contacts for us and our services and to contact them directly via the integrated messaging function on LinkedIn so that we can present our services. In doing so, we process the data provided to us by LinkedIn. In particular, this may include your name, your employer, your position at your employer, your education and other contacts on the platform. Depending on the type of contact with you, we may process further data, such as the specific business relationship or the content of the communication with you. It is also possible that we may transfer your data to our CRM systems and merge or link it with your data already stored there.

The Sales Navigator is offered by LinkedIn Ireland Unlimited Company (“LinkedIn Ireland”). WebID and LinkedIn Ireland act as joint controllers within the meaning of Art. 26 GDPR and have concluded a joint controller agreement (see https://legal.linkedin.com/pages-joint-controller-addendum). Information on the LinkedIn Sales Navigator and its functions can be found here: https://business.linkedin.com/de-de/sales-solutions/sales-navigator. LinkedIn’s privacy policy with further information on data processing can be found here: https://de.linkedin.com/legal/privacy-policy. In addition to our data protection officer (see section 2), you can also contact LinkedIn’s data protection officer. The contact details can be found here: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

We process your personal data to contact, communicate or initiate business contacts with you (including via our CRM) on the basis of the following legal bases:

  • Your consent in accordance with Art. 6 (1) (a) GDPR, which you gave to the provider when registering for the respective social media platform, insofar as it concerns your platform user data (name, employer, position, usage behaviour on the platform, etc.);
  • for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR, provided that we already have a business relationship with you or carry out pre-contractual measures via the platform based on your enquiry (e.g. further contact or communication);
  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in the appropriate approach, targeted communication or the initiation of business contacts for the establishment, implementation, maintenance or termination of a business relationship with you. This enables us to generate attention for our services and offer our services in a specific and targeted manner.

3.3.7 Hubspot CRM

We use Hubspot CRM on this website. The provider is Hubspot Inc. 25 Street, Cambridge, MA 02141 USA with a branch in Ireland, contact: HubSpot, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland (hereinafter “Hubspot”).

Among other things, Hubspot CRM enables us to manage existing and potential customers as well as customer contacts. With the help of Hubspot CRM, we are able to record, sort and analyse customer interactions via email, social media or telephone across various channels. The personal data collected in this way can be analysed and used for communication with potential customers or for marketing measures (e.g. newsletter mailings). With Hubspot CRM, we are also able to record and analyse the user behaviour of our contacts on our website

The use of Hubspot CRM is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the most efficient customer management and customer communication possible.

Details can be found in Hubspot’s privacy policy: https://legal.hubspot.com/de/privacy-policy

3.3.8 Salesforce Sales Cloud

We use Salesforce Sales Cloud to manage customer data. The provider is Salesforce: The Customer Company Germany GmbH, Erika-Mann-Str. 31, 80636 Munich (hereinafter “Salesforce”).

Salesforce Sales Cloud is a CRM system and enables us, among other things, to manage existing and potential customers and customer contacts and to organise sales and communication processes. The use of the CRM system and the processing of the data we collect also enables us to analyse and optimise our customer-related processes, our website, to address customers in a targeted manner and to improve the customer experience.

The customer data is stored on the Salesforce servers on our behalf. The data is transferred to the Salesforce Sales Cloud and processed there for the above-mentioned purposes, among others. Personal data may also be transferred to the parent company of Salesforce: The Customer Company Germany GmbH, Salesforce: The Customer Company  Inc, Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA. Details on the functions of Salesforce Sales Cloud and data processing can be found here: https://www.salesforce.com/de/products/sales-cloud/overview/ and https://www.salesforce.com/de/company/privacy/.

The use of Salesforce Sales Cloud is based on Art. 6 para. 1 lit. f GDPR. WebID has a legitimate interest in the most efficient customer management and customer communication possible.

Salesforce has Binding Corporate Rules (BCR) that have been approved by the French data protection authority. These are binding corporate rules that legitimise the internal transfer of data to third countries outside the EU and the EEA. You can find details here: https:

3.3.9 YouTube

We integrate videos from the YouTube service, which is provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). In order to make the videos available, technically necessary data is processed by Google for this purpose. Google is responsible for this processing. Further information on how Google handles your personal data can be found at: https://policies.google.com/privacy?hl=de.

The legal basis for the initial readout and/or storage of data is Section 25 (2) No. 2 TDDDG, as the processing of the data is absolutely necessary so that we can enable the use of our website expressly requested by you (i.e. with YouTube videos, for example). The legal basis for the initial reading and/or storage of other, technically unnecessary data is the user’s consent in accordance with Section 25 (1) TDDG. Further data processing when integrating YouTube is necessary for the needs-based design of our website. This is also our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

3.3.10. Atlassian Status Page

WebID uses the incident management tool “Status Page” from Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia (“Atlassian”), for the purposes of incident reporting as part of the implementation of appropriate technical organisational measures. Atlassian acts as a processor for WebID. Authorised contact persons of WebID’s partners can register to use the tool via the link provided by WebID in order to receive or retrieve incident management information (“WebID Status”) for the WebID products they have selected. This includes, for example, information regarding upcoming maintenance work, possible application failures, malfunctions or security incidents. As part of the registration process, WebID collects the contact person’s email address, which they confirm using the double opt-in procedure. In addition to the email address, WebID also records the name and mobile phone number of the contact person named by the partner in the tool in order to check their authorisation to register, inform them of the WebID status by email or to be able to contact them at short notice if necessary.

WebID processes the data of contact persons in connection with the Status Page on the following legal bases:

  • as part of the registration for the use of the tool and then when using the tool to fulfil a contract or to carry out pre-contractual measures in accordance with Art. 6 Para. 1 lit. b GDPR;
  • to implement the appropriate technical and organisational measures required by law by using an incident management tool in accordance with Art. 6 para. 1 lit. c GDPR in conjunction with Art. 32 GDPR. Art. 32 GDPR.

3.3.11 Compliance with legal regulations

We also process your personal data in order to fulfil other legal obligations. These may apply to us in connection with business communication, among other things. These include, in particular, retention periods under commercial, trade or tax law.

We process your personal data on the basis of the following legal basis:

  • to fulfil a legal obligation to which we are subject in accordance with Art. 6 para. 1 lit. c GDPR in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.

3.3.12 Law enforcement

We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary for the defence against or prosecution of criminal offences.

We process your personal data for this purpose on the basis of the following legal basis:

  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, insofar as we assert legal claims, defend ourselves in legal disputes, prevent or investigate criminal offences.

3.3.13 Company sales, mergers, etc.

We may process your personal data in order to complete a (partial) sale of the company or a merger (or similar processes such as takeover in the context of liquidation, insolvency, dissolution, etc.) with another company. In the event that another company acquires or intends to acquire the assets/capital, which may include your personal data, from us or we carry out or seek to carry out a merger with another company, we may have to grant this company access to your personal data stored by us or transfer it for the purpose of examining and implementing the company sale/merger (e.g. to determine the value of the company, business risks, etc.).

We process your personal data on the basis of the following legal basis:

  • to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR in order to plan and implement a planned company sale or a planned merger.

4. Categories of recipients

Within WebID, only those departments that require the data to fulfil our contractual and legal obligations will have access to it.

As part of our activities as a processor, we transmit the data collected to the respective partner with whom you are in contact. If, at your request, we or a sales partner of the partner have forwarded the determination of your identity via a sales partner or you agree to the identification within the scope of TrueID, the sales partner or the partner will only receive a success message on the verification status. The partner will process the transmitted data to fulfil its obligations under money laundering law or other identification obligations as well as its rights and obligations arising from the contractual relationship between the partner and you or in the context of the digital signature, in particular to prove the conclusion of the contract.

We also share your personal data with other recipients where this is permitted or required by law. Some of these recipients provide services for us in connection with our website or our services (e.g. IT service providers or cloud service operators), while others act independently (e.g. law enforcement authorities or tax authorities). We limit the disclosure of your personal data to what is necessary, in particular in order to be able to provide our services. If our service providers receive your personal data as processors, they are strictly bound by our instructions when handling your personal data. You can obtain further information from our data protection officer if required.

5. Third country transfer

As a matter of principle, we do not transfer your personal data to countries outside the EU or the EEA (“third countries”) or to international organisations.

When transferring data to third countries, we ensure that a level of data protection within the meaning of Art. 44 et seq. GDPR is complied with.

If service providers or processors, such as Salesforce or Atlassian, are used in a third country and we can influence this, they are obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing the EU standard data protection clauses. Alternatively, we transfer the data on the basis of the Binding Corporate Rules, an adequacy decision or corresponding guarantees, such as the EU-US Data Privacy Framework Agreement. When using the tools Google Analytics, LinkedIn InSight Tags and Google Ads, this concerns, for example, the transfer of your IP address or your truncated IP address to third countries, including the USA. For further information, please contact our data protection officer .

6. Links

Some sections of our website contain links to the websites of third-party providers, e.g. to display YouTube videos. These are not so-called social media plug-ins, but pure links. When you visit our website, no personal data is forwarded to these third-party providers. Data is only transferred to the respective third-party provider when the link is consciously used. The websites of all third-party providers are subject to their own data protection principles. We are not responsible for their operation, including data handling. If you send information to or via such third-party sites, you should check the data protection declarations of these sites before you send them information that can be attributed to you personally.

7. Duration of storage

7.1 Informational use of the website

If you use our website purely for information purposes, we store your personal data on our servers exclusively for the duration of your visit to our website. After you have left our website and closed your browser, your personal data will be deleted immediately.

The session cookies are deleted when you close the browser.

Cookies installed by us on the basis of your consent are deleted after a storage period of up to 14 months. With regard to Google cookies, the storage period may be reset to the specified duration in the event of further actions. If a cookie is used to recognise you, you can delete it yourself at any time via your browser settings

With regard to the LinkedIn Insight Tag, the direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days (and after 90 days if anonymised data is processed) .

7.2 Active use of the website

In the context of video legitimisation, WebID AutoID or equivalent legitimisation or identification and digital contract signing, we process your data on behalf of our partners. The storage period therefore depends on the contractual agreements you have made with the partner or the statutory retention periods applicable to the partner. Under the Money Laundering Act, our partner may be obliged to store the data for a period of up to five years or for a period of up to 10 years in accordance with commercial or tax law requirements.

As part of the provision of services relating to qualified electronic signatures, there is also an obligation to store your data for the long term in accordance with the provisions of the eIDAS Regulation and the accompanying national legal acts in order to ensure legally secure evidence of the services provided in this way. In Austria, for example, the storage period is up to 35 years.

If you have given your consent to the processing of your data, we will retain your data until you withdraw your consent; in these cases, we may also have to archive your data due to statutory or legal requirements. In these cases, your data will of course be blocked for use for other purposes and only retained for the fulfilment of our statutory or legal obligations.

If you send us an enquiry when using our website or if we process your data as part of a contractual relationship, we will store your personal data for the duration of the response to your enquiry or for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the fulfilment of a contract.

In addition, we then store your personal data until the limitation period for any legal claims arising from the relationship with you has expired, in order to use it as evidence if necessary. The limitation period is usually between 1 and 3 years, but can also be up to 30 years.

We delete your personal data when the statute of limitations expires, unless there is a statutory retention obligation, for example from the German Commercial Code (Sections 238, 257 (4) HGB) or from the German Fiscal Code (Section 147 (3), (4) AO). These retention obligations can last from two to ten years.

8. Your rights as a data subject

You are entitled to the following rights as a data subject under the legal requirements, which you can assert against us:

Right to information: You are entitled to request confirmation from us at any time within the framework of Art. 15 GDPR as to whether we are processing personal data concerning you; if this is the case, you are also entitled within the framework of Art. 15 GDPR to receive information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, your rights, the origin of the data, the use of automated decision-making and, in the case of third country transfer, the appropriate guarantees) and a copy of your data.

Right to rectification: In accordance with Art. 16 GDPR, you are entitled to demand that we rectify the personal data stored about you if it is inaccurate or incorrect.

Right to erasure: You are entitled, under the conditions of Art. 17 GDPR, to demand that we erase personal data concerning you without undue delay. The right to erasure does not exist, among other things, if the processing of personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) to fulfil a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) for the assertion, exercise or defence of legal claims.

Right to restriction of processing: You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

Right to data portability: You are entitled, under the conditions of Art. 20 GDPR, to request that we provide you with the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format.

Right to object: You are entitled to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must stop processing your personal data. The right to object exists only within the limits provided for in Art. 21 GDPR. In addition, our interests may conflict with the termination of processing, so that we are authorised to process your personal data despite your objection.

Right to lodge a complaint: You can address complaints to the bodies named under points 1 and 2. Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR, subject to the conditions of Art. 77 GDPR. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

The supervisory authority responsible for us is
Berlin Commissioner for Data Protection and Freedom of Information,
Alt-Moabit 59-61, 10555 Berlin.
E-mail: mailbox@datenschutz-berlin.de
Telephone number head office: +49 30 13889-0
Fax: +49 30 2155050

Revocation of consent: If you revoke your consent to the collection, processing and use of your data in whole or in part with effect for the future, we will immediately delete your data to the extent requested by you or block it for further use, subject to statutory retention periods.

9. Obligation to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our website available to you, answer your enquiries to us or provide our services to you. Personal data that we absolutely need for the above-mentioned processing purposes is marked with an “*” or another symbol.

10. Automated decision-making

As a matter of principle, we do not use automated decision-making to analyse your personal circumstances.

When using WebID AutoID, however, the ID documents are checked in the background by software supported by artificial intelligence, which checks both the authenticity of the ID documents using various security features and whether the photo on the ID documents matches the photo taken during the identification process. In the event of anomalies and to check that the software is working correctly, trained service staff can be called in to check individual identification processes. The results of the identification are automatically transmitted to the partner after the check

In addition, TrueID automatically compares the data that the partner transmits to us with the data stored in the user profile and then calculates a mathematical probability value regarding the presence in the WebID user profile database. This value is transmitted to the requesting partner, who can then decide independently whether to make use of identification.

In accordance with Art. 22 (3) GDPR, you have the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision if automated decision-making is used. These rights must be asserted against the partner. The partner can also offer you alternative procedures, for example. In the case of the TrueID procedure carried out by WebID, the rights must be asserted against WebID.

Should we use further procedures in individual cases, we will inform you accordingly.

11. Encryption

When collecting or transmitting your data, we use state-of-the-art SSL encryption (SSL = Secure Sockets Layer). SSL encryption guarantees the confidentiality of communication. This security feature is active when either the symbol of an intact key or a closed lock (depending on the browser) appears at the bottom of your browser window.

Right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you by us which is based on Article 6(1)(e) (performance of a task carried out in the public interest) or Article 6(1)(f) GDPR (legitimate interest of the controller), if there are grounds relating to your particular situation; this also applies to profiling based on these provisions. We will then no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing purposes. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
Please address any objections to the address given under point 1.

Object to the analysis of user behaviour and targeted advertising by LinkedIn under the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Furthermore, members of LinkedIn can control the use of their personal data for advertising purposes in the account settings. To prevent LinkedIn from linking data collected on our website to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

Consent to data processing by Google Analytics can also be revoked at any time.

12. Changes

We reserve the right to amend this privacy policy at any time. Any changes will be publicised by publishing the amended privacy policy on our website. Unless otherwise specified, such changes will take effect immediately. Please therefore check this privacy policy regularly to view the latest version.

Last updated in October 2024