English | German | Spanish | Romanian | French

Smart Ident Data Protection

This data protection declaration explains the purposes and legal basis of the processing of your personal data within the meaning of the General Data Protection Regulation (DSGVO).

This policy is divided into:

  1. Data protection officer

  2. Use of our website

  3. Use of our identification services

  4. Legal basis and rights & obligations

  5. Miscellaneous

1. Data Protection Officer

1.1 Data Controller for the use of the website and selected Smart Ident services

The Data Controller within the meaning of the DSGVO is JERRA GmbH, Heinrich-Barth-Straße 18, 66115 Saarbrücken, Germany, e-mail: gdpr@smartident.id

You can also reach our data protection officer at: [email protected] .

1.2 Data Controller for Smart Ident identification services

This is the case, for example, when you sign up at an online bank and use a Smart Ident-provided sign-up process.

The data controller as defined by the GDPR is the client in whose name Smart Ident provides services. The respective data protection officer and further information can be found at our clients site, e.g. at the bank or website you are about to register with.

2. Use of a Smart Ident website

You can visit our websites without providing any personal information. We only process data that your browser transmits to technically enable you to visit the website and data that is transmitted to us in the context of cookies.

2.1 Provision of the website

When you visit our websites, information is automatically collected by our IT systems to enable you to use the website. The following information is collected:

  • Browser type and version

  • Operating system used

  • Referrer URL

  • Time of the server request

  • IP address (anonymised)

  • The referring website from which the access is initiated.

The temporary storage of your IP address by our system is necessary to enable delivery of the website to your computer. For this purpose, the user’s IP address must necessarily be stored for the duration of the session.

The temporary storage of the IP address in the log files is done for error analysis and to ensure the security of our information technology systems (e.g. attack detection). This data is deleted regularly. Likewise, no consolidation of collected data with other data takes place.

2.2 Statistical analysis of the use of the website and increase in reach

When visiting our website, your surfing behaviour can be statistically evaluated. This is done mainly with cookies and with so-called web analytics programs. This allows us to improve the quality of our website and its content. We learn how the website is used and can thus constantly optimise our offer. You will find detailed information on this in the following explanations.

IP anonymisation

We have activated the IP anonymisation function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plugin

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website.

You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de and https://policies.google.com/privacy?hl=de.

3. Use of the Smart Ident identification services

You will typically use Smart Ident services when you sign up for a service with one of our clients. We provide identity verification services for a wide range of businesses, but especially where strict legal frameworks apply. For example, to secure your valuable data, such as health data, or to comply with strict anti-money laundering and anti-terrorism regulations. In the course of such identification processes, you usually have to give your contractual partner certain consents for data processing or the GDPR mandates certain processing processes if necessary for the fulfilment of the contract or if it is a legally obligatory activity.

Smart Ident regularly acts as a data processing partner for our customers and carries out certain verification steps. Naturally, services for establishing identity also require your personal data.

3.1 Verification services

The processing of your data by Smart Ident in connection with the establishment of identity (verification) is carried out on behalf of a client of Smart Ident at whose request the verification is carried out (“partner”).

Your data will be processed for the sole purpose of verifying and confirming your submitted data like identity, declarations, dates, age or any other information requested by the partner.

For this purpose, we process for the respective partner the data that you provide to us in the course of your use of the if applicable, data that the respective partner provides to us for the purpose of matching and, in certain cases, also publicly accessible information, for example from government or private-sector databases.

The scope of the processing of this data and the legal basis for this processing depend on the intended or already existing contractual relationship between you and the partner as well as the underlying legal requirements.

Depending on the legal basis for the verification process, certain documents such as an official photo ID, health card, invoices or other documents may be required. As a rule, a subset of the data below is processed during personal verifications, whereby the exact scope of this data or the processing depends on the respective identification method:

Catalogue of possible data elements

  • Name, first name

  • Birthplace

  • Date of birth

  • Nationality

  • Full address

  • Mobile number

  • Personal numbers

  • Photo/screenshot of the person and the front and back of the identification document, if necessary or on a random basis also video/audio recordings

  • ID card data (such as date and place of issue, issuing authority, etc.)

  • Special data*:

    • Biometric profile of the person (selfie)

    • solvency data

    • Open Banking

*) Under certain circumstances, it may be necessary for you to consent to the processing of special data for identification purposes on the basis of Art. 6 (1) a or Art. 9 (2) a DSGVO. This concerns, for example, biometric data or solvency data.

Special case of Open Banking

Smart Ident makes it possible to carry out so-called payment releases or account information queries by means of Open Banking. This is a strictly regulated procedure and is subject to the so-called 2nd Payment Services Directive (PSD2, in Austria ZaDIG), which enables certified providers to provide easy and secure access. If you use such a procedure, we or our partner explicitly ask for your permission to perform the action in question. With this permission, we will connect directly to your bank where you will perform an approval with your bank in your usual secure online banking environment. Please note that our Open Banking services always run in the secure environment of your banking institution. Never enter your bank account access details on other sites. You can find more information on the security of Open Banking on our website.

3.2 Verification completion and legal basis of processing

Once the verification has been completed, we will send the verification results and, if necessary, the collected data to the partner. We will hold your verification record until confirmation from the partner, but usually no longer than 24 hours after your verification has been completed.

If Smart Ident has a legal obligation to store data for longer periods, data may also be stored for a longer period on this legal basis.

The partner is obliged to process the transmitted data in order to fulfil its legal obligations or its rights and obligations arising from the contractual relationship with you.

The processing of your personal data is in each case based on the DSGVO at least one of the following legal bases for lawful data processing (Art 6 para 1 DSGVO):

  • The data subject has given his/her consent to the processing of personal data concerning him/her for one or more specific purposes.

  • The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request.

  • Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • The processing protects vital interests of the data subject or a third party.

  • The processing protects overriding legitimate interests of the child.

  • The processing protects legitimate interests of the controller or a third party.

  • The processing serves public interests.

Furthermore, in the course of commissioned processing in which Smart Ident fulfils a task of the partner pursuant to Art. 28 DSGVO. As a rule, points 1, 2, 3 or 7 are applicable for verifications with Smart Ident.

3.3 Special case Qualified Electronic Signature (QES)

Our partners use Smart Ident as a local registration authority for Qualified Signatures to perform verifications or digital signatures using QES. QES is an alternative to a handwritten signature at the highest security level and is regulated in the eIDAS Regulation (Regulation (EU) No 910/2014). Smart Ident is authorised as a certified identification service provider and local registration authority to offer these services. In doing so, we are subject to the legal obligation to store identification credentials securely for a period of up to 20 or 35 years. The processing is carried out in accordance with the above number (1) and (2) from point 3.2, i.e. Art. 6 para. 1 lit. a and lit b DSGVO.

If you have given your consent to the processing of your data, we will retain your data until you revoke it; in these cases, we may also have to archive your data due to statutory or legal requirements. In these cases, your data will of course be blocked for use for other purposes and will only be retained to fulfil our statutory or legal obligations.

3.4 Categories of recipients

Within Smart Ident, only those departments that need the data to fulfil our contractual and legal obligations are granted access to the data.

As part of our activity as a processor, we transmit the collected data to the respective partner with whom you are in contact. The partner will process the transmitted data to fulfil its obligations under money laundering law or other identification obligations as well as its rights and obligations arising from the contractual relationship between the partner and you or within the scope of the digital signature, in particular to prove the conclusion of the contract.

We also share your personal data with other recipients where permitted or required by law. In some cases, these recipients provide services to us in connection with our services (in particular sub-service providers of the verification services). In doing so, we limit the disclosure of your personal data to what is necessary, in particular in order to be able to provide our services. If our service providers receive your personal data as processors, they are strictly bound by our instructions when handling your personal data.

3.5 Third country transfer

We do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

For individual elements of the verification service for which no adequate service is available within the European Union, service providers in third countries are used. In addition to our bilateral contractual agreements, these are obliged to comply with the level of data protection in Europe by agreeing to the EU standard contractual clauses. Alternatively, we transfer data on the basis of the Binding Corporate Rules or an adequacy decision.

In the event of a transfer of data to countries outside the European Union, we ensure that a level of data protection within the meaning of Art. 44 et seq. DSGVO is complied with. Unfortunately, due to the laws of non-EU countries (e.g. within the framework of the Cloud Act in the USA), even if corresponding agreements and sets of rules are concluded, there is a possibility that government agencies will access your personal data without us or you being able to prevent, stop or control this. For these reasons, your consent also includes the purpose of data transfer to countries outside the EU.

Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

4. Legal basis and rights & duties

Enquiries

In order to process and respond to your enquiries to us, e.g. via the contact form or to our email address, we process the data you provide in this context. This includes your name, age and email address in order to send you a reply, as well as the other information you send us as part of your communication.

We process your data to respond to your enquiries on the following legal basis:

  • If you contact us in the context of a contract to which you are a party or in order to carry out pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b DSGVO.

  • To protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO; our legitimate interest is to respond appropriately to customer enquiries.

Compliance with statutory regulations

We also process your personal data in order to fulfil other legal obligations. These may affect us in connection with business communication, among other things. These include, in particular, retention periods under commercial, trade or tax law.

We process your personal data in order to fulfil a legal obligation to which we are subject. The legal basis is Art. 6 para. 1 lit. c DSGVO in conjunction with commercial, trade or tax law, insofar as we are obliged to record and store your data.

Law enforcement

We also process your personal data in order to be able to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offences.

We process your personal data for this purpose to protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO, insofar as we assert legal claims, defend ourselves in legal disputes, we prevent or investigate criminal offences.

Your rights as a data subject

You are entitled to the following rights as a data subject, which you can assert against us, subject to the legal requirements:

  1. the exercise of the right to freedom of expression and information,

  2. to fulfil a legal obligation to which we are subject (e.g. statutory retention obligations) or

  3. for the assertion, exercise or defence of legal claims.

  • Right to restrict processing: You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 DSGVO.

  • Right to data portability: You are entitled, under the conditions of Art. 20 DSGVO, to demand that we hand over to you the personal data concerning you that you have provided to us in a structured, common and machine-readable format.

  • Right to object: You have the right to object to the processing of your personal data under the conditions of Art. 21 DSGVO, so that we have to stop processing your personal data. The right to object only exists within the limits provided for in Art. 21 DSGVO. In addition, our interests may conflict with the termination of processing, so that we are entitled to process your personal data despite your objection.

  • Right of complaint: You can address complaints to the office mentioned under point 1.2. Furthermore, you are entitled to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, under the conditions of Art. 77 DSGVO, if you are of the opinion that the processing of personal data concerning you violates the DSGVO. The right of appeal is without prejudice to any other administrative or judicial remedy.

  • Revocation of consent:If you revoke your consent to the collection, processing and use of your data in whole or in part with effect for the future, we will immediately delete your data to the extent requested by you or block it for further use, subject to statutory retention periods.

Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you by us on the basis of Article 6(1)(e) (performance of a task carried out in the public interest) or Article 6(1)(f) DSGVO (legitimate interest of the controller). We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

5 Miscellaneous

External content

Some sections of our website contain links to third party websitesWhen you access these links, no personal data is transferred to these third-party providers. The websites of all third-party providers are subject to their own data protection principles. We are not responsible for their operation including data handling. If you send information to or via such third-party sites, you should check the privacy statements of these sites before you send them any information that can be attributed to you personally.

Secure encryption

When collecting or transmitting your data, we use state-of-the-art SSL encryption (SSL = Secure Sockets Layer). SSL encryption ensures the confidentiality of communication. This security feature is active when either the symbol of an intact key or a closed lock (browser-dependent) appears in the lower area of your browser window.

Changes

We reserve the right to change this privacy policy at any time.

Any changes will be announced by posting the amended privacy policy on our website. Unless otherwise specified, such changes will be effective immediately. Therefore, please check this Privacy Policy periodically to review the most current version.

Last updated October 2023

JERRA GmbH, Heinrich-Barth-Straße 18, 66115 Saarbrücken, Germany